EA announced its latest salvo in the endless cat-and-mouse battle of PC gaming cheat detection on Tuesday, and the effort prominently features one term sure to raise a red flag for some users: “kernel mode.”
The new kernel-level EA Anti-Cheat (EAAC) tools will roll out with the PC version of FIFA 23 this month, EA announced, and will eventually be added to all of its multiplayer games (including those with ranked online leaderboards). But strictly single-player titles “may implement other anti-cheat technology, such as user-mode protections, or even forgo leveraging anti-cheat technology altogether,” EA Senior Director of Game Security & Anti-Cheat Elise Murphy wrote in a Tuesday blog post.
Unlike anti-cheat methods operating in an OS’s normal “user mode,” kernel-level anti-cheat tools provide a low-level, system-wide view of how cheat tools might mess with a game’s memory or code from the outside. That allows anti-cheat developers to detect a wider variety of cheating threats, as Murphy explained in an extensive FAQ:
When cheat programs operate in kernel space, they can make their cheat functionally invisible to anti-cheat solutions that live in user-mode. Unfortunately, the last few years have seen a large increase in cheats and cheat techniques operating in kernel-mode, so the only reliable way to detect and block these is to have our anti-cheat operate there as well.
Privacy and security concerns
Some users are understandably wary that granting a game such low-level system permissions could expose private information on their systems. In an attempt to assuage some of those fears, Murphy said that the team has “limited the information EAAC collects” and that the system will “only look at what it needs to for anti-cheat purposes.”
Everything that isn’t a process that’s “trying to interact with our game” is strictly “off limits,” she continued. “We’ve worked with independent, 3rd-party computer security and privacy services firms to ensure EAAC operates with data privacy top of mind.”
Privacy aside, some users might also worry that a new kernel-level driver could destabilize or hamper their system (à la Sony’s infamous music DRM rootkits). But Murphy promised that EAAC is designed to be “as performant and lightweight as possible. EAAC will have negligible impact on your gameplay.”
In addition, EAAC only runs when the game is running, Murphy wrote, and should thus have no effect on other uses of the system. And EAAC tools can be easily uninstalled alongside the game itself or separately (though the underlying game will no longer be playable in the latter case).
Kernel-level tools can also provide an appealing new attack surface for low-level security exploits on a user’s system. To account for that, Murphy said her team has “worked with independent, 3rd-party security and privacy assessors to validate EAAC does not degrade the security posture of your PC and to ensure strict data privacy boundaries.” She also promised daily testing and constant report monitoring to address any potential issues that pop up.
A never-ending battle
While adding kernel-level protections to anti-cheat tools doesn’t make them foolproof, such tools “require a different (more strenuous) approach from cheat developers to attack,” as Riot Games Anti-cheat Lead Paul Chamberlain told Ars in 2020. That increases the difficulty (and cost) of making effective cheating tools and “reduces the incentives for cheat developers because their cheats become harder to make, less convenient for players to install, and just overall less profitable to sell,” he continued.
But game developers often face significant user pushback over such stringent anti-cheat efforts. Such pushback led id Software to remove Denuvo’s kernel-mode anti-cheat system from Doom Eternal just days after it was rolled out. And Riot eventually added the ability to turn off its Vanguard anti-cheat driver via the system tray to allay user concerns about its kernel-level driver (users still have to restart their OS and the Vanguard system if they want to play Valorant, however).
For users on Windows 11, Riot has already gone beyond its own kernel-level processes, requiring the use of TPM and Secure Boot at the system level to guarantee Vanguard-protected games are running without outside interference from cheat programs. But even a system like that may struggle with computer-vision-based cheat programs, which use capture cards and external processing to give users seemingly preternatural reflexes. As always, the battle rages on.