I'd like to mark anti-cheat drivers as unwanted and block them from ever getting installed

[Guest Guest]

I'd like to configure ESET to consider anti-cheat kernel drivers as unwanted, and block them. I'd like help on how to do this, or, if this is currently not possible, kindly consider this a feature request.

My reasoning:

These drivers increase the attack surface. Even if a driver is not on Microsoft's Vulnerable Driver Blocklist yet, it might still be vulnerable to a 0-day exploit. Since these are dashboard ("WHQL") signed, attackers can use them relatively easily, even if you don't have a corresponding game installed. If you read the blocklist XML itself, there are numerous versions of some well-known anti-cheats listed, proving their bad track record when it comes to vulnerabilities.

In many environments (mine, and almost every corporate environment I presume), these games will never be installed, so breaking their anti-cheat functionality is not a problem. Unconditionally blocking these drivers could however thwart a class of attacks that rely on them for, e.g., ring0 code execution.

I am sorry if any part of this is incorrectly written, English is not my native language.

[Marcos 5,231]

Which ones do you mean specifically? Are they not detected as potentially unsafe or unwanted applications already?

[itman 1,740]

On 7/20/2024 at 6:21 AM, Guest Guest said:

I'd like to configure ESET to consider anti-cheat kernel drivers as unwanted, and block them.

Even if a driver is not on Microsoft's Vulnerable Driver Blocklist yet, it might still be vulnerable to a 0-day exploit.

Just how would Eset identify these anti-cheat kernel drivers?

Edited July 21 by itman

[Guest Guest]

For example: capcom.sys, mhyprot2.sys, mhyprot3.sys, vgk.sys, easyanticheat.sys, but there are many more.

[itman 1,740]

A good article on this subject here: https://www.wired.com/story/kernel-anti-cheat-online-gaming-vulnerabilities/ .

As far as the likelihood of anti-cheat drivers being misued;

Quote

But to many gamers, who pushed into the kernel first isn’t important. They worry that an anti-cheat kernel driver could secretly spy on them or create exploitable vulnerabilities in their PCs. As one Redditor put it: “I'll live with cheaters. My privacy is more important than a freaking game.”

A kernel driver could certainly introduce some sort of vulnerability. But the chances that a hacker would target it are slim, at least for the vast majority of people. “You're talking easily hundreds of thousands of dollars, perhaps millions, for an exploit like that if it's going to be remotely executable,” says Adriel Desautels, founder of penetration testing company Netragard. “What attackers would rather spend their time and money on are things where they can hit one thing and get a lot of loot,” like other criminal hacks or malware attacks where huge troves of valuable data were stolen or held for ransom.

Edited July 21 by itman

[itman 1,740]

5 hours ago, Guest Guest said:

For example: capcom.sys,

When I attempted to download it from here: https://github.com/FuzzySecurity/Capcom-Rootkit , Eset detected the hacked driver;

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
7/21/2024 10:14:38 AM;HTTP filter;file;https://raw.githubusercontent.com/FuzzySecurity/Capcom-Rootkit/master/Driver/Capcom.sys;Win64/Capcom.A potentially unsafe application;connection terminated;xxxxxxxx;Event occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (0E12C4DDBC34036D13EDFE72BB4890BE106D3A4C).;C1D5CF8C43E7679B782630E93F5E6420CA1749A7;7/21/2024 10:14:07 AM

My take here is if the driver has been identified as vulnerable, Eset will detect it.

Here's a new anti-cheat driver for vgk.sys: https://www.unknowncheats.me/forum/tags/vgk.sys.html . You could download it and see if Eset detects it.

Of note is this driver's signature is invalid. As such, it couldn't be installed in Win 10/11 as a kernel mode driver;

https://www.virustotal.com/gui/file/40ae836fef315c32d5eb2276e2b36f5f4405949efa31d48f7a2dfeb4796689be/details

Edited July 21 by itman

[Aryeh Goretsky 386]

Hello,

ESET detects kernel drivers for a number of reasons, including if are infected by a computer virus or are malware, or even if they are legitimate, but pose a security threat to your system because they are being misused for things like bring-your-own-vulnerable-driver (BYOVD) attacks (see these earlier threads asking about kernel drivers from ASUS, Intel, and MSI).

If anti-cheat software was seen in those types of conditions, it would be detected as well.  However, these are included in games by their publishers, which means that they came from the publisher and are considered part of that software.  Regardless of the whole problem of cheating in games and how to counter it—which is certainly outside the scope of this forum—anti-cheat technology is neither intentionally malicious or unsafe, which is something that has to be considered when making a determination as to why something should be detected.  As a very hypothetical example, would formatting a disk to erase all the information on it be considered in most circumstances an inherently malicious act?  Probably not in the consumer space, as this is something PC users do all the time.

Another important thing to consider is that blocking the anti-cheat component of a game is going to prevent the game in question from running, which kind of defeats the whole purpose of the game, which is to be able to play it.

The problem of cheating in games is an incredibly complex one, involving the entire gaming ecosystem (developers, publishers, esports leagues, not to mention the players themselves) and I will also state that it's more than a technical issue but a social issue as well.  I am not sure if it is even right for us to place a stake in there.  I know there are plenty of people who cheat in games, but I suspect the number of people who want to play those same games without cheaters is on the orders of magnitude larger.

Another consideration here, which I will state is a completely separate issue, is concerns about false positive detections.  There's nothing inherently different in the kernel drivers used by GPUs, network cards or sound cards (or their chips at least, since those are normally on the system board these days), or even the software used to control a fans, read CPU temperatures, control RGB lights in gaming PCs, keyboards and mouses (mice?), etc.  There is a lot of kernel-level driver software that used in gaming besides anti-cheat ones.  The idea of blocking one of these kernel driver programs and possibly crashing someone's PC when all they did was install one of these (or updated an existing driver) is not something I would want to be responsible for causing.  It would be the exact opposite of having a good gaming experience.

The best suggestion I have is that if you do not want anti-cheat software on your computer, that you do not purchase and install games which use it, and you let the publisher's know (via social media, letter, or whatever) the reasoning behind your decision.

Regards,

Aryeh Goretsky
 

[itman 1,740]

Getting back to the question is it possible to block installation of known anti-cheat kernel mode drivers, is such a list in existence? Well, it turns out there is a concern that has such a list and supposedly, actively maintains it: https://levvvel.com/games-with-kernel-level-anti-cheat-software/ . Appears the list contains around 325+ games/software developers and the anti-cheat software used.

To begin, note that what is listed is the game software name that contains anti-cheat software. You will have to download each game and, possibly install it, to determine the name of the .sys anti-cheat kernel mode driver.

Next, you could create an Eset HIPS rule to prevent these anti-cheat kernel mode driver .sys files from being created in C:\Windows\System32\drivers directory. Also, another like HIPS rule for C:\Windows\SysWOW64\drivers for 32 bit drivers. Finally, these rules will have to be constantly maintained to add any new drivers added to anti-cheat kernel mode drivers list.

Finally, the HIPS detection could be easily be defeated by the attacker renaming the original anti-cheat kernel mode driver .sys file.

Given the existence of unknown number of hacked original anti-cheat software kernel mode drivers, it might be impossible to identify these. It all depends if the game is using an anti-cheat kernel mode driver of a specific name. Finally, assume if an attacker is using an anti-cheat kernel mode driver for malicious purposes, it doesn't matter what it is named.

Edited July 21 by itman

[itman 1,740]

My final comment in this thread is the odds of being nailed by a rogue anti-cheat kernel mode driver are the same as being nailed by any rogue kernel mode driver.

The kernel mode drivers that you should be concerned about are "Microsoft's dirty little secret" attestation signed kernel mode drivers. I wrote an op-ed forum posting about these here: https://forum.eset.com/topic/32841-a-clear-and-present-danger-lurking-in-windows-1011/#comment-152816 . The point to glean is these like signed drivers carry the same code signing verification ranking as WHQL signed drivers.

As far as I am aware of Eset and other AV vendors are totally oblivious about them.

[Guest Guest]

> chances that a hacker would target it are slim

The chances of being infected are slim to begin with, yet we're using ESET's products. It's all about reducing that "slim".

I agree with the users who claim that more drivers (such as attestation-signed) should be allowed to OPTIONALLY be marked as unwanted, and detected. I'm not asking for this to be the default, I presume most of home users would much rather have the anti-cheat running.