15 comments

[ 5.2 ms ] story [ 41.6 ms ] thread
It's been a long time coming. I wonder if the overhead of user space interacting with the kernel api is gonna be noticeable.

>Another big area of Windows that uses kernel-level drivers is anti-cheating engines for games. Microsoft has been speaking with game developers about how to reduce the amount of kernel usage, but it’s a more complicated use case as cheaters often have to purposefully tamper with their machine to disable protections and get cheating engines running.

>“A lot of [game developers] would love to not have to maintain kernel stuff, and they are very interested in how they do that,” Weston says. “We’ve been talking about the requirements there, and I think we’ll have more to say on that in the near future.” Riot Games told me last year that it’s willing to follow potential Windows security changes and “recede from the kernel space.”

I hope it spreads to anti cheats as well.

With anti-cheat the obvious (lazy, stupid) future is remote attestation. It's another way to kick the can down the road of actually going to "real" approaches to anti-cheat like less client trust, behavioral analysis, and statistics that you would have to do if you had no choice, like for online Chess games or something like that. Of course even for fast-paced games like FPS games, you can now cheat using a capture card, ML models and a fake HID keyboard/mouse device so I'm sure the arms race will evolve to include forced HDCP and signed, encrypted HID devices and other dumb bullshit before there is finally some realization that there is no longer any possible, reasonable way to shortcut anti-cheat anymore. The shortcuts are just too much cheaper and easier. (I'm sure we'll keep remote attestation anyways afterwards, because it's impossible to have nice things.)
I wonder how long until those anti-cheats start fighting and false?-positiving each other due on how they operate.
Anecdotally, for some gaming friends of mine, the only reason they maintain a Windows install is for games that don't run on linux/proton due to anti-cheat kernel integration. So for that portion of the population, it seems in Microsoft's interests to keep it going.
I’ve mostly just stopped playing online games with the public as anti-social sociopath cheaters have ruined the fun.

There’s one “solution” to cheating that publishes seem loathe to offer these days: server executables so people can host their own servers.

When I played BF1942, we just banned anyone we thought was cheating. Having a reputation for being actively moderated and typically cheater-free meant the server was popular and often full. When I ran a Minecraft server, I used a whitelist so it was a complete non-issue.

The only online game I still occasionally play is WoW where cheating is mostly non-existent and what cheating that does exist doesn’t typically affect the gameplay experience of normal players.

> I wonder if the overhead of user space interacting with the kernel api is gonna be noticeable.

‘Luckily’, the overhead of antivirus software already can be quite high at times [1]. So, if this API can keep the number of kernel-userspace transitions down, I think the relative impact could be barely noticeable.

[1] https://www.tomsguide.com/us/av-software-least-system-impact...:

“For example, McAfee Total Protection had a relatively light background impact, slowing down the Lenovo laptop by only 9% after installation”

Following this with cautious but sizeable optimism. Great progress has been made in the printer and WiFi driver departments before, if they could actually deliver on this, that'd be ecstatic.
Excited for this and the anti-cheat systems moving out of the kernel. This should/would make it easier to emulate them on systems like Proton on Linux and thus push the world one step closer to having cross-platform (Windows, Linux, macOS?) multiplayer gaming. But maybe I'm too optimistic :)
The value in anti-cheat systems is in being difficult to emulate. Once they become easy they will either have evolved into something even worse (for some definition of worse) or just stopped existing.
Thirty years too late, but welcome nevertheless
Crowdstrike deserved to go bankrupt for this nonsense, they weren't testing properly, and they rolled their crap update out to the whole world without a staged rollout or canary system: https://x.com/cyb3rops/status/1821096079372251203

Just googled their share price and they are 34% higher than they were before the shitstorm they caused.

I installed Avira Free Antivirus for a day around three months ago, just to check something. When I uninstalled it, it left three browser extensions hidden somewhere on my system. I have several browser profiles, several user-data-dirs, and every time I create a new profile or install a new browser like Vivaldi, I get a popup pressuring me grant permission to those extensions.

Fuck these AntiVirus software vendors, they are just as much scum as the baddies are. What once was just Norton, today is everyone.

I'm glad that they're getting less access to the system, even if it's for another reason.

Given my experience with the scammy, spammy, parasitic mess that have been the vast majority of antivirus software providers I've tried here and there, good riddance. Good to see this. Now what to do about the spammy, scammy, parasitic mess that is called Windows 11?
I remember old setup wizards on Windows 9x that would commonly advise disabling any antivirus software before proceeding with an installation. Even back then, we knew those programs could break basic functionality like app installations, yet the platform owner never truly intervened.

This whole situation now feels like too little, too late. We currently have a vast market of "security" software built on top of their platform, and everyone is compelled to use it, often due to compliance requirements. Now, Microsoft has to walk on thin ice by restricting these "snake oil" vendors without getting into trouble for anticompetitive behavior by restricting a market on top of their platform that should have never existed in the first place.

So after pondering this for a few days, why wouldn't the "easiest" anti-cheat, be to

a) have windows attest to the servers that its running in "secure" mode b) have windows provide the ability to apps/games to run in a validated / secure mode, where the OS would not let things like debuggers and the like attach to the game, as well as validate the game executables and assets that are loaded. i.e. part of "A" would be attesting that the executable it loaded had a specific signature and the game itself would then test the signature of all the assets they load.