Why You Should Be Wary of Kernel-Level Anti-Cheat

Kernel-level anti-cheat has become a popular term among gamers lately. But what does it mean and why did it cause so much uproar in the community? A brief explanation on kernel-level anti-cheat and what hazard such software could possess.

Why You Should Be Wary Of Kernel-Level Anti-Cheat Cover

Lately, the gaming community seems to up in arms against anti-cheat along with the word “kernel” thrown into the mix as well. From competitive multiplayer games like Valorant to (mostly) single-player titles such as Doom Eternal and Genshin Impact. Kernel-level anti-cheat seems to be one of this year’s buzzwords. But what exactly is that computer-mumbo-jumbo means? Well lucky for you, I am going to discuss what this thing is supposed to mean — and what danger it could potentially cause.

What Is “Kernel-Level” In The First Place?

Credits to Hertzsprung at Wikipedia.

Credits to Hertzsprung at Wikipedia.

In case you didn’t know or just heard about it, simply put, kernel is the core program of your computer’s operating system. It has complete control over everything that your computer runs; software and hardware access, you name it. Thus any software that could run at the “kernel-level” could make any kind of changes that affects your entire system. Think of it as the foundation of your house. It was built carefully to make sure the structure can last for decades, but if you let any random passerby walking in front of your house to remodel the foundation, your house would instantly collapse.

In the context of the privilege level chart above, while there are four Rings (from Ring 0, the most privileged to Ring 3, the least privileged) current modern operating systems only use Ring 0, or kernel-level, for “supervisor” access and Ring 3 for “user” applications. And that’s why most of the time access to kernel-level is limited and isn’t accessible for ordinary applications. Usually, it’s restricted to device drivers that do need to tweak some system functionality. And on the other hand, this is why anti-cheat applications installed device drivers that ask for the kernel-level access.

The main argument for a kernel-level anti-cheat is that cheat programs are working at the supervisor level to make sure they could change how the game operates (and that’s why you should always be careful when installing shady cheat .exes). Then these anti-cheats could try to counteract them by blocking those other programs that they assume contain security vulnerabilities. See the problem here?

Yep. The problem comes when the assumption results in false-flags, or worse, if somehow the software itself got hacked or repurposed by a malicious third-party. As you will read in this article. That’s pretty much the gist of it. But knowing the meaning of the term is only half the battle.

Why You Should Be Wary Of Them

Security vulnerabilities should be your biggest concern instead of people ruining the fun.

Security vulnerabilities should be your biggest concern instead of people ruining the fun.

For example, Denuvo Anti-Cheat on Doom Eternal reportedly could reinstall itself after being uninstalled without the game running at all. Why would you want any unwanted software to keep coming back after you voluntarily remove them from your system? Valorant‘s Vanguard Anti-Cheat was also blocking false-flagged driver used by overclocking, fan, and temperature monitor applications when it first released. Sure, you could simply dismiss those two cases as just “annoyances”. But in extreme cases, bad things could (and did) happen.

An anti-cheat made by the E-Sports Entertainment Association made the headline in 2013 when one rogue developer used the software’s kernel access to turn test users’ computers into bitcoin miners. Before he was caught, the developer reportedly managed to rake in more than $3,700 in just two weeks. ESEA apologized, issued a free month of ESEA Premium, increased their Season 14 League prize pool by $3,700, and donated twice the number of money to the American Cancer Society. The 20-year-old PunkBuster that’s infamously known for randomly banning people in Battlefield is also prone to exploits that allow hackers to do remote code executions or denial-of-service attacks. So yeah, unintentionally kernel-level programs like these could easily give backdoor access to unwanted third-parties. Imagine if they can auto-reinstall like Eternal‘s Denuvo. Or you are trying to troubleshoot what programs conflicting with your system but they keep re-installing so you don’t notice it?

[NEW HERO – NOW PLAYABLE] Introducing Sombra | Overwatch

I do understand that Ring 3 software like Valve Anti-Cheat or the system used by Overwatch isn’t the most effective way to combat cheaters. If you play the games or do a quick Google search, you can find people complaining about them. But on the other hand, at the end of the day, the only purpose for anti-cheat software to exist is only to make your game playing experiences more comfortable. Remember, it’s just a game (especially if you’re not competing for prizes). It’s not as vital to your computer’s health as something like anti-virus or anti-malware applications and hardware drivers. So you should treat software with privileged access that could potentially risk your privacy and security with caution instead of putting your trust blindly into the developers.

Simply uninstalling it when you’re not playing and reinstall again later isn’t a solution. That’s a band-aid solution that’s putting extra annoyance back into our own face. But by criticizing the issue and ask/help others in the community to raise concerns, even if developers didn’t fully remove their kernel-level anti-cheat, they could at least 1) make it less annoying by adding more drivers into the program’s white-list, and 2) minimize the potential vulnerabilities by making it stop running after you close the game. Because there is one last thing to remember: it is our right as a consumer to criticize the products we consume to make sure they don’t overstep their boundaries. As long as we do it in a civilized and adult manner, of course.


  1. The main issues are coming from windows hackers, and Linux users that doesn’t have the official install, and some how with wine can fix all what the unfair microsft’s OS has, then the people that create games and mobas are making us to buy more consoles for gaming or making us use to Steam more, if that’s the case. I hope all gamers finish to move to Linux and leave this kind of practices that only affect the main users,

  2. Actually, VAC is not kernel-level. If it were kernel-level, then it would not be able to run under WINE.

    WINE is Linux’s compatibility layer that lets it run Windows applications. WINE simply converts Windows API calls into POSIX/UNIX calls that will work under Linux, but it does not emulate the Windows kernel, so kernel-based anticheat software and DRM will detect if you are using WINE to play the game on something not running Windows, and it will false-positive, thinking that you are cheating because it does not understand how to interface with the Linux kernel.

    If VAC were ring-0 level, then it would not be able to run within WINE. Of course, many Valve games run on the source engine and have native linux ports, and VAC does have a linux version, but when running the Windows version of games using VAC, VAC does not seem to care. It CAN detect virtual machines, although it does not do so at a kernel level.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>