Microsoft is moving antivirus providers out of the Windows kernel. Hopefully anti-cheat will be next
-
I get this and when I used windows I've had issues with kernel level anti-viruses, but why anti-viruses before anti-cheats? Surely an AV's kernel access is more important then an AC's access?
Microsoft's biggest concern here is another Crowd Strike like event, so they're prioritizing kernel modifications that impact businesses.
-
Thanks for the well thought response, you made quite a few points, but let me try to clarify where I'm coming from:
Windows 11 requires all computers to have TPM 2.0. It's a crypto chip used for allowing vendors (re: Microsoft) to add secure keys at a hardware level, which will then allow software to verify that the software, operating system, and hardware are "unmodified".
In a nutshell this process for allowing software to ensure that the OS and hardware are not compromised nor modified is called "attestation".
And it's something Google has (successfully) introduced into Android and they're now "turning the screws" .
This means that the Windows of the near future, will begin to "limit access" to the OS (ie: kick people out of the kernel), only allowed signed device drivers, etc.
The next step will be restricting "sideloaded apps" and funnel people through the "officially supported apps store". Once that happens, sideloading will either be removed or crippled.
When it comes to gaming: there won't be any need for anti-cheat measures, because Microsoft will know (and will disable itself or the app) if you've modified the OS or any app/game (this could include installing a game on a newer or older version of Windows)
This is the future of computing. It's already happening to cellphones. I'd read a great article (that I, sadly, cannot find) that talks about how technology like attestation have software vendors treat the user as an untrustworthy person. The upshot, for the user, is that if they get infected will malware or a virus the OS will know and will react accordingly. The downside, for the user, is that the freedom we have today - to install or configure our OS to our liking will be a thing of the past.
These changes won't happen overnight, but it has and will be a slow boil.
I think that's a very big stretch and I don't think we'll see that any time soon. Microsoft is already losing market share and they can't do much more of this type of stuff because more and more people are getting annoyed. (Including ones with a following such as PewDiePie)
Anyways, Linux is great.
-
All I use my machine for is gaming, so not having cheaters in games far outweighs the odds of being hacked by imaginary bogeymen.
I am not really talking about being hacked but about anyone but you having more control over your system then you.
Maybe in your case thats very little information but I am a tech hobbyist and if i do not have full control and knowledge about every aspect of a device i bought, do i really own it?
If a consumer can’t fully own it, it shouldnt be sold as such. I considered such deeply unethical and damaging to the future potential of technology.
-
...wait, games don't have even a single person checking for cheaters, even casually? Like, they wholly rely on anticheat?
(PS, has been a decently long time since I played a game that needed anti cheat)
Depends on the game, really, but “relying” on anti-cheat is pretty common. Larger games tend to have teams who review cases that get flagged by the systems and players and do manual removal but these teams also tend to be quite small and unable to adequately handle the amount of cheating that occurs.
If gamers want to see cheaters less often, they need to pressure the companies to do human moderation in addition.
-
I believe that's just fear-mongering. This has been a thing that Microsoft has wanted to do for a while, largely because having 3rd party code with direct kernel access is a huge problem in terms of stability and security unless you can be sure you know what all that code is doing.
They tried to do this in the past, arguing that anything that wanted kernel-level access had to Windows API calls instead, however Windows Defender which was bundled with the OS was exempt from this restriction. The EU argued that it gave Microsoft a competitive advantage in the AV space and mandated that if they wanted to do this, they had to follow their own rules which MS was not willing to do.
Instead, Microsoft dictated that any code that was going to run in the kernel had to be submitted to Microsoft for review, who would then approve or deny the code for use. The problem with this method is that it's slow, so any AV that wanted to update their engine had to go through a code review process every time. Crowdstrike (and likely every other AV provider) got around this by having a component of their software with kernel-access that could read in data dynamically. This is what caused that worldwide BSOD problem a couple years back. The Crowdstrike component with kernel access loaded in a bad update that was not properly reviewed and it broke every system with the AV installed.
Overall, this change is a good thing and will force software vendors to actually operate securely rather than just asking for ring 0 access when they don't need it. As always, if you're worried about the changes MS is making, Linux is available and getting better day by day.
I hope that it's fear-mongering.
I tried to justify the technical reasons here, but the tl;dr is it possible for windows 11 to verify that the OS and hardware are "unmodified" (aka "attestation").
They tried to do this in the past, arguing that anything that wanted kernel-level access had to Windows API calls instead, however Windows Defender which was bundled with the OS was exempt from this restriction.
True but attestation is a different beast. It's just a hardware check that "everything is unmodified". Any/all software vendors can use it. Windows Defender was a "duplication" of functionality (hence the EU smackdown).
However, as Microsoft has already integrated attention into Windows 11 (restricted to verifying security patches, for the moment) - it'll be easier for them to repackage attestation into a simple API that software vendors (games/apps/even websites) and use (
if attestation.check('basic') == true; then run; else exit).This "simple" check is what software companies have been wanting for years: a way to guarantee that users are running their software in the way that the software companies want you to be running it (meaning unmodified).
The OPs original question was about removing anti-cheat - which I'm confident will happen and will be replaced with attention (as it already exists for android, John deere, iphones, etc).
Your points about virus scanners is different: I think virus scanners, although technically not necessary (after attestation is mandatory) - they will still exist, simply because virus scanners is a 40+ Billion Dollar industry. Microsoft cannot/will not piss of those companies "just because they can" - it would be in the shareholders best interests for Microsoft to throw the virus scanner companies a bone, allow them an isolated space to do their thing, charge them for the privilege, and require that Microsoft verifies that the virus scanner is untampered.
-
Basic anti-cheat already does this, but also with memory, because most cheats are reading/modifying what is in memory. I think the only ethical solution for anti-cheat is on the server side, with machine learning perhaps, kind of like VACnet.
The problem is that, with a good enough cheat, it can be impossible to distinguish from a very good player.
The best cheats use a secondary device emulating human input and reactions, which is practically undetectable. -
The problem is that, with a good enough cheat, it can be impossible to distinguish from a very good player.
The best cheats use a secondary device emulating human input and reactions, which is practically undetectable.A secondary device can't be identified by kernel level anti-cheat either. If you have a standalone device that identifies as a USB keyboard and mouse and then generates inputs that give you a 100% headshot count, there's nothing you could detect through the kernel, since all it detects are keystrokes and clicks.
-
Yeah and a lot of cheats know the anti cheat is checking memory so they also modify the anti cheat and essentially mess up their memory check to fool it into thinking nothing has been modified. It's just a cat and mouse game where the cheats bypass the anti cheat and the anti cheat adding more detectors.
-
Microsoft has long wanted to get vendors out of the kernel. It's a huge privacy/security/stability risk, and causes major issues like the Crowdstrike outage.
Most of those issues also apply to kernel anti-cheat as well, and it's likely that Microsoft will also attempt to move anti-cheat vendors out of kernel space. The biggest gaming issues with steamOS/Linux are kernel anti-cheat not working, so this could be huge for having full compatibility of multiplayer games on Linux.
wrote on last edited by [email protected]For those who can't see the writing on the wall.
Privileged access will include admin access and eventually the ability to make changes to Windows is coming to an end.
The distribution will be enshitified from the install to the updates and you wont be able to do a thing. Exactly like android, ios ect.
Microsoft are doing the opposite of what customers want. The ONLY way this changes is with real competition. If you are only familiar with Microsoft as a professional. It's no time like the present to step outside the rent seekers and see what the rest of the industry is doing.
-
I don't think chain of trust and security through kernel-level access are fighting the same problem.
Usually chain of trust is to prevent app tampering, and kernel-level access is to prevent memory tampering.
I assume Windows is creating a new API for applications to monitor certain regions of memory for tampering without needing kernel access.
wrote on last edited by [email protected]Kernel level access is to stop access plain and simple. That includes user access rights absolutely.
-
Depends on the game, really, but “relying” on anti-cheat is pretty common. Larger games tend to have teams who review cases that get flagged by the systems and players and do manual removal but these teams also tend to be quite small and unable to adequately handle the amount of cheating that occurs.
If gamers want to see cheaters less often, they need to pressure the companies to do human moderation in addition.
wrote on last edited by [email protected]I'd argue the most effective anticheat is dedicated servers.
Admin'ed a lot of CS, TFC, and Q3 servers growing up and it was easy enough to kick/ban any one hacking or being an unrepentant dick.
Downside for the corps is, you can't gate all that dlc as easy when users have control. -
I'd argue the most effective anticheat is dedicated servers.
Admin'ed a lot of CS, TFC, and Q3 servers growing up and it was easy enough to kick/ban any one hacking or being an unrepentant dick.
Downside for the corps is, you can't gate all that dlc as easy when users have control.I’d argue the same, actually. It takes people to moderate people and dedicated servers make it easiest. Modern match made games could still have admins, the company needs to pay for them.
-
To be fair, it certainly still makes cheating harder. If it didn't exist, you'd just see even more people cheating, but it's a pretty overkill way of system monitoring for such a relatively small benefit by comparison.
Massive privacy risk, only slightly better performance than other non-kernel monitoring.
Sure, if you are comparing to having no anti-cheat at all... But there are tons of competitive games out there using more "traditional" anti-cheat that don't need kernal access that are doing fine.
-
Microsoft has long wanted to get vendors out of the kernel. It's a huge privacy/security/stability risk, and causes major issues like the Crowdstrike outage.
Most of those issues also apply to kernel anti-cheat as well, and it's likely that Microsoft will also attempt to move anti-cheat vendors out of kernel space. The biggest gaming issues with steamOS/Linux are kernel anti-cheat not working, so this could be huge for having full compatibility of multiplayer games on Linux.
The best anticheat is whitelisting. More coop games, why does it matter if the enemy force is a computer or player? As long as the AI is good enough.
-
Microsoft has long wanted to get vendors out of the kernel. It's a huge privacy/security/stability risk, and causes major issues like the Crowdstrike outage.
Most of those issues also apply to kernel anti-cheat as well, and it's likely that Microsoft will also attempt to move anti-cheat vendors out of kernel space. The biggest gaming issues with steamOS/Linux are kernel anti-cheat not working, so this could be huge for having full compatibility of multiplayer games on Linux.
why not move anticheats out
-
The best anticheat is whitelisting. More coop games, why does it matter if the enemy force is a computer or player? As long as the AI is good enough.
Perhaps*, this is possibly* ok in games with projectile based attacks maybe* but hitscan weapons are not fun to play against when the "player" has no aiming delay.
-
why not move anticheats out
Why not just read the article in which this get addressed?
-
This is what, the fourth time a Linux community gets excited about this? But that's actually not good for us at all. Much like Android's safety net, or the nightmare that is the Mac equivalent, the entire point will be creating an untouchable chain from the firmware to the final OS being booted, and only allowing some apps to use a specific API to attest this isn't compromised.
This is horrendous for people trying to modify the OS or, in a more relevant tone, run programs meant for that OS on an entirely different environment. Microsoft has slowly been moving towards making this work on PCs, mostly due to pressure from DRM providers like Netflix or banking apps, but unlike Apple they can't simply lock everything down at once and say "deal with it" because Windows lives by backwards compatibility. Either way, this is just another step towards this upcoming future.
If your favorite games now start asking Windows if the chain of trust is not tampered with... say goodbye to compatibility with Proton.
And if Windows makes using their system super easy, there will likely be even more games with kernel level anti cheat. Classic embrace, extend, extinguish.
-
Why not just read the article in which this get addressed?
Cause I don't wanna read all of it
-
Microsoft has long wanted to get vendors out of the kernel. It's a huge privacy/security/stability risk, and causes major issues like the Crowdstrike outage.
Most of those issues also apply to kernel anti-cheat as well, and it's likely that Microsoft will also attempt to move anti-cheat vendors out of kernel space. The biggest gaming issues with steamOS/Linux are kernel anti-cheat not working, so this could be huge for having full compatibility of multiplayer games on Linux.
Another nail in the coffin
