this post was submitted on 11 Nov 2024
276 points (100.0% liked)

Gaming

30558 readers
206 users here now

From video gaming to card games and stuff in between, if it's gaming you can probably discuss it here!

Please Note: Gaming memes are permitted to be posted on Meme Mondays, but will otherwise be removed in an effort to allow other discussions to take place.

See also Gaming's sister community Tabletop Gaming.


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

Steam store pages received a new Anti-cheat field. Disclosure is mandatory for kernel-level anti-cheat solutions. And recommended for other anti-cheat solutions (like server-side or non-kernel-level client-side).

The field discloses the anti-cheat product, whether it is a kernel-level installation, and whether it uninstalls with the product or requires manual removal to remove.

Screenshot of anti-cheat indications

all 34 comments
sorted by: hot top controversial new old
[–] [email protected] 49 points 1 week ago (2 children)
[–] GetOffMyLan 13 points 1 week ago (1 children)
[–] [email protected] 28 points 1 week ago (1 children)

I'm assuming the user meant all kernel level anti-cheat is malware

[–] GetOffMyLan 13 points 1 week ago (2 children)

I'm sure they did and it's not. Malware isn't defined by its privileges but what it does.

[–] [email protected] 17 points 1 week ago (1 children)

Malware isn’t defined by its privileges but what it does.

Correct... and anything that intercepts all system calls and forces closed applications that it deems "not safe" even if I the user specifically run it is malware. You bet your ass they feed back information to the mothership too.

And btw, if you're accepting the "Spyware" moniker from the other comment chain. Spyware is a form/category of malware.

Definition from Malwarebytes:

Hostile, intrusive, and intentionally nasty, malware seeks to invade, damage, or disable computers, computer systems, networks, tablets, and mobile devices, often by taking partial control over a device’s operations.

Hostile - it's not meant to help you at all. If you're doing something deemed "unsafe" in their eyes. They will take action up to and including stealing your money that you paid for the game. intrusive - embeds itself in the kernel Intentionally nasty - Well it's not accidentally nasty.

invade - attached to games with little to no input on what you're installing. disable computer systems - specifically the software you paid for Taking partial control over a device's operations - the whole fucking kernel.

I'd say meeting the VAST majority of the definition and at least one portion of each category is sufficient to call them all malware.

[–] GetOffMyLan 10 points 1 week ago* (last edited 1 week ago) (3 children)

No it's literally not what malware is. Otherwise anti virus would be. And anti malware haha

It's literally none of those things mentioned.

You are doing massive mental gymnastics. Intentionally nasty for an anit cheat is just stupid. You 100% know that's not what that means.

It also doesn't invade, damage, disable or take control of the system.

Just because you don't like it doesn't make it malware.

[–] [email protected] 9 points 1 week ago (2 children)

Taking kernel level actions to stop processes on YOUR machine is absolutely taking control of the system.

Kernel level anti-cheats meet every requirement. Just because you think there's gymnastics going on doesn't make it so. It's actually well established in the security field that they count.

[–] [email protected] 8 points 1 week ago (1 children)

Have kernel-level anti-cheat systems ever stopped processes? Unrelated to the anti-cheat and the game itself?

I would imagine they would kick and ban you, not control other processes.

[–] [email protected] 9 points 1 week ago

They have kernel access... They can control anything since they're in the kernel. And yes, I've seen it.

If you remember back in the late 2000's early 2010's there were a boatload of apps that would hook into games to do things like display overlays for chats (Teamspeak for example, overwolf as another.) some kernel anti-cheats would stop those processes from starting up.

But don't take my word for it.


https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/

I'm less worried about developers abusing kernel access, and more concerned with potential vulnerabilities introduced for third-party actors to exploit. Rigney cited two examples: the infamous Extended Copy Protection (XCP) from Sony, which bad actors used to compromise affected systems, as well as a backdoor vulnerability introduced by Street Fighter 5's kernel level anticheat. In 2022, a ransomware developer also took advantage of Genshin Impact's kernel level anticheat to disable antivirus processes.

Introduces backdoors to be used by malicious actors.


https://www.pcgamer.com/the-controversy-over-riots-vanguard-anti-cheat-software-explained/

Vanguard detects software with vulnerabilities which could be exploited by cheat makers, and blocks some of it.

Blocks external softwares that it deems "vulnerable"


https://old.reddit.com/r/gaming/comments/xf1cwr/the_insanity_of_eas_anticheat_system_by_a_kernel/

This is far from the first time that boot level firmware or kernel mode code inserted via patches or drivers have been used to install spyware, but every time I see it happen I want to warn users about the consequences, and provide some information about the danger.

Kernel devs beg users to not allow this shit.


Just look it up. All sorts of articles and experts have spoken on it.

[–] GetOffMyLan 2 points 1 week ago (1 children)
[–] [email protected] 2 points 1 week ago (1 children)

Source for what in specific?

That stopping processes is a kernel action? Go ahead. Open powershell and ask it to close some other system process... The UAP prompt (if you're on windows, linux will just fail silently most of the time unless you sudo or are root) that shows up is the kernel validating that you even have permissions to do that. The kernel handles ALL task scheduling/management. When you close something you're asking the kernel to do it. The kernel also handles ALL file management and driver management (drivers being extensions of the kernel). So the fact that it can read other active DLLs and such hooked into other processes (say your graphics drivers) is literally proof.

That industry agrees that it's malware? Depends on which part of industry I suppose. But if it's able to do all these actions at the kernel level, and attached itself it to other software to install, often doesn't uninstall when you remove the game it was attached to, AND gets flagged by anti-viruses that don't have it whitelisted yet... It's definitionally malware. Go search for "Is malware". Very few people will argue that they're not.

Hell it's possible for anti-cheats to write to UEFI if they really wanted to. There's no legitimate reason for that level of access, 0, none.

[–] GetOffMyLan 1 points 1 week ago* (last edited 1 week ago) (2 children)

I'm a programmer I understand what they are. I understand why they suck.

Stopping processes is actually a user space action. You can do it without admin rights btw. Even if it popped the admin screen that's still not a kernel level action.

Asking the kernel to do something is basically all operations and not the same as kernel level access.

Yeah that it's considered malware. I did Google it and there's nothing saying that.

[–] [email protected] 2 points 1 week ago (1 children)

Stopping processes is actually a user space action. You can do it without admin rights btw. Even if it popped the admin screen that’s still not a kernel level action.

Absolutely not. Task management is the job of the operating system/kernel. You can request to end a job/task. The kernel will do it on it's own time. UAP prompts are attempts to elevate permissions so that you can access higher kernel calls.

https://linux-kernel-labs.github.io/refs/heads/master/lectures/syscalls.html#linux-system-calls-implementation

https://unix.stackexchange.com/questions/111625/how-does-linux-kill-a-process

You can make requests the to the kernel. If you have permission/ownership to the process the kernel will work through the sigterm/sigkill to meet your request. It is not a user space action at all to kill a process, you make requests to the kernel to do it. Hell in linux it's even more obvious as you can instruct the kernel on HOW you would like to kill the task and even then it may not follow your direction. https://www.man7.org/linux/man-pages/man1/kill.1.html with kill being a kernel tool. If you spawned the process, then you have permission/ownership to the process. But my point in the previous post was that anti-cheats can reach into the system, reading dlls and such that are absolutely NOT user space to begin with, require elevation beyond user space to install.

Yeah that it’s considered malware. I did Google it and there’s nothing saying that.

Seriously? You can't find anything? You sure about that? Cause I can literally pull up thousands of articles and forum threads by literally typing "is vanguard anti-cheat malware?" or "is easy anti-cheat malware?"

https://forums.malwarebytes.com/topic/288793-easy-anti-cheat-launcher-detection/

Heuristics detect these things for what they are. Anti-virus software have to whitelist them because people choose to play the games anyway.

https://www.techguy.org/threads/is-valorant-vanguard-a-malicious-rootkit-or-not.1267682/

https://www.pcgamer.com/the-controversy-over-riots-vanguard-anti-cheat-software-explained/

The name is appropriate, because Vanguard doesn't just sniff around for cheats when Valorant is running: It starts up with Windows and keeps an eye on other processes whether or not you're playing Valorant at the time. [...] Vanguard detects software with vulnerabilities which could be exploited by cheat makers, and blocks some of it.

https://www.sp-cy.com/article/is-valorants-anticheat-spyware/

Vanguard cannot be easily fully disabled since after manually quitting the process, a system reboot will be required to be able to open Valorant again.
The EULA prevents any legal recourse against Riot Games.
Valorant/Vanguard sends encrypted data to Riot. Which is Chinese owned by a giant corporation called Tencent.

Let's attack this question from another perspective. Do you trust a games developer to properly develop kernel code? Most people BARELY trust Microsoft to do it these days. And you can't review/evaluate it yourself at all. You have no fucking clue what they're doing and never will. We've seen what happens when random companies inject shit into the kernel like crowdstrike did. You think that these anti-cheat softwares are acting in your interest when they're being implemented and paid by a corporation? How can you look at these anti-cheats that have made backdoors on systems, cause people everywhere unstable kernels/BSODs, send data about your system without permission, interacts with software on your system that isn't their code, etc... and say they're not malicious?

[–] GetOffMyLan 1 points 1 week ago (1 children)

Pretty much all code is making requests to the kernel. That isn't what is happening here.

It's side stepping the kernel. That's the whole point. You don't know what you're talking about.

[–] [email protected] 1 points 1 week ago (1 children)

Stopping processes is actually a user space action.

Now you backpedal and say

Pretty much all code is making requests to the kernel.

But I don't know what I'm talking about? Sure. We'll go with that if it makes you feel good. I only literally taught it at a post-grad level at an R1 institution, but what do I know.

It’s side stepping the kernel. That’s the whole point.

You're getting it! Kind of at least. The anti-cheat actually modifies the kernel (in an extension kind of way, like drivers do). That's the point though. Which seems to have repeatedly whooshed over your head. But I can only say it in so many ways and be ignored. Good luck. Hope I don't run into your code.

[–] GetOffMyLan 1 points 1 week ago* (last edited 1 week ago)

Not back peddling you are misunderstanding what kernel access means.

You don't need kernel level access (the thing we are literally discussing) to kill processes. Which was literally your example.

Obviously the OS handles it. How the fuck else would it work?

[–] [email protected] 1 points 1 week ago

the kernel level part of that specific thing is preventing process startup after it was killed

[–] [email protected] 2 points 1 week ago (1 children)

Anti-cheat software is very clearly and explicitly spyware. That's the entire purpose of it. It spies on how you use your software in the hope that if you cheat you'll be seen by the spyware watching you.

This spyware is generally not something people want on their computer - as evidenced by people complaining about it. So effectively whats happening is that people are being spied on against their wishes. Spyware is a common category of malware.

So I think it's pretty easy to see why people might describe anti-cheat software as malware.

[–] GetOffMyLan 3 points 1 week ago* (last edited 1 week ago) (1 children)

Nah words have meaning. I get you don't like it but that doesn't make it spyware or malware.

Spyware isn't about watching your system or memory it's about stealing personal information.

These anti cheats specifically comply with privacy laws or they wouldn't be allowed. You won't find any breaking any laws.

Anti virus and anti malware applications do the same. Doesn't make them spyware.

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago) (1 children)

[edit] I'd posted something to go into more detail. But I've decided that branch of conversation is not really the way forward.

I'll just say that the software is not installed by choice, and it does things that people don't want it to do... so it could be described as malware. But if you want it on your computer, then I guess for you it is not malware. In any case, it doesn't look like we're going to agree about this regardless.

[–] GetOffMyLan 1 points 1 week ago* (last edited 1 week ago) (1 children)

It is literally installed by choice. It's part of the game installation. It's up to users to know what they are installing. Many games likely install lots of things that aren't immediately obvious.

It doesn't infiltrate the system.

[–] [email protected] 1 points 1 week ago

It's up to users to know what they are installing.

Except when all you get is an UAC prompt when clicking the play button, without giving you any information, other than that it wants to execute an exe in a temp dir with a random name.

[–] [email protected] 1 points 1 week ago (1 children)

antimalware is literally worthless as has been for at least a decade. not even once did I get a spyware (or other) alert for the software of any commercial data harvester company. they are literally bought out and even the blind can see this

[–] GetOffMyLan 1 points 6 days ago

Yeah for sure. Used to be absolutely critical back when things like java in websites was a thing haha

[–] [email protected] 9 points 1 week ago (1 children)

Spyware steal your data, look the same to me

[–] GetOffMyLan 4 points 1 week ago* (last edited 1 week ago)

How do they steal your data? They also said malware

[–] Sl00k 5 points 1 week ago* (last edited 1 week ago) (1 children)

I've been a heavy competitive gamer for 10 years now, kernel anticheat has been an incredible blessing developed these last few years despite every non-player calling it malware. Meanwhile all the consistent players rejoice and newer players don't have to deal with constantly wondering if someone's hacking every single lobby.

You can see just how much this has directly impacted high elo League of Legends players via Riots dev blog after their implementation. The most notable:

more than 10% of Master+ games had a cheater in them.

[–] [email protected] 2 points 1 week ago (2 children)

Does anyone actually have a suggestion for a less intrusive alternative?
Do you realise how difficult and ineffective server-side anti-cheat can be?
Although it would be the only way to actually try and detect someone using a second machine for hacking/inputs.
All of this will become an increasingly uphill battle for the devs.

[–] [email protected] 6 points 1 week ago

Server side AC is hard, yes, but it's not less effective than client-side.... As it's security by obfuscation. If you can't genuinely detect from server view the difference between an human and a cheater, that means a cheater can create a cheat controller (either hid spoof or even mechanicallly moving a mouse) that will spoof the client side too.

NEVER TRUST USER INPUT.

[–] [email protected] 5 points 1 week ago* (last edited 1 week ago) (1 children)

Write it in language that obfuscates code by default (Rust does that) and then it obfuscates again. Or do it the Valve way. Even though is very easy to crack their anticheat (the hacks and DLL injectors are basically for free both on Windows and Linux), they have other measures in place. E.g. Votekicking players, Overwatch and matchmaking against other hackers.

[–] [email protected] 1 points 1 week ago (1 children)

where did you read it that rust obfuscates the code?

you want vmprotect and such for that

[–] [email protected] 1 points 1 week ago

If security analysts have issues decompiling Rust malware, then it's obvious that it obfuscates the code. All they could get was an ugly Assembly. You can try it yourself by downloading Ghidra/Cutter/any other compiler.