Guideline to Kernel Anti-Cheat

(This post will be updated later; please refer to the post below to catch up on the discussion.)

I noticed Secure Your Network — Compartmentalization briefly touches on the topic, but it feels a bit lacking in hardware- and OS-specific guidance. I’d like to expand these ideas — please feel free to add or remove any details below.

Goal: Run kernel-level anti-cheat safely if possible; otherwise, provide a clear path to run non-kernel anti-cheat or native-safe versions without needing to research each game’s kernel or non-kernel anti-cheat.

Objectives:

• Minimize performance loss.

• Native app when OS is safe by default.

Recommendations:

• Windows: Harden the system (e.g., Hotcakex). Use a dedicated physical machine for gaming and dedicated devices (keyboard, mouse, headset) assigned only to that machine. Use a router with FOSS firmware and place the gaming machine on its own VLAN.

• Linux: Native apps (without granting root privilege) or Proton or Wine as compatibility layers that do not require elevated/root approval.

• macOS: Native apps or CrossOver.

• iOS: Native apps.

• Android: Uncertain (even with GrapheneOS)

From a privacy perspective, it’s not if using a device that also has anything you want to protect from the anticheat. By definition a kernel-level anticheat is omnipotent and omniscient on the device.

This does nothing to protect you from a kernel anticheat.

This will help, in fact it’s really the only option available (assuming whatever game uses the kernel anticheat has VM detection and requires a physical machine, which I think is normally the case for those kinds of games)

I don’t see how this relates to a kernel level anticheat so might be worth elaborating if there’s a point I’m missing.

I don’t think this really has anything to do with a kernel anticheat. Any malicious program on a device could attack other devices on a network just as easily, so I don’t think this should be tied to kernel level anticheat being in use. If it fits your threat model you should do this regardless of kernel anticheat specifically.

How do you propose you prevent something running in the kernel from having root? Something in the kernel inherently has more than root access.

These are not compatible with kernel anticheat.

These don’t seem relevant to a kernel anticheat conversation. It might be possible to have one on macOS but I’ve never heard of anyone actually doing so, and it’s not possible on iOS or Android.

To explain, it is divided into two parts:

1. Run kernel‑level anti‑cheat safely whenever possible.

2. When that isn’t feasible, provide a clear path to run non‑kernel anti‑cheat versions so players don’t have to research each game’s anti‑cheat model every time.

For example, some mobile games require kernel-level anti-cheat on PC version. If a game is playable on an OS (Linux and MAC/IOS) that does not support kernel-level anti-cheat, the user should use the non-kernel option when available.

Using routers with FOSS firmware and additional system hardening is a little bonus thing for discussion purpose.

My main question: If a user uses a dedicated machine and devices exclusively to that machine, and VLAN does not stop an attack over the network, does that put other PCs on the same router at risk? Is there a reliable way to play games that require kernel-level anti-cheat safely, or is using non-kernel anti-cheat the only practical way to play online games securely, even with dedicated hardware? Finally, if a network attack cannot reach the other PC, can a device still cross‑contaminate the second PC if a user uses that device on both machines?

It’s already safe.

Your recommendations only mention Hotcakex tweaks that will impact system’s performance negatively, not positively.

What???

???

FOSS firmware for routers doesn’t exist. OpenWRT uses firmware blobs.

Marginally worse network performance.

How is this related to kernel level anticheat? They don’t exist on Linux and macOS.

Please don’t post AI slop. This thread has 0 value.

Kernel level anticheat is absolutely not safe from a privacy perspective.

As I mentioned, this is really only possible with a dedicated machine or VM if the game allows it (which I suspect it will not if it has a kernel level anticheat). There are no mitigations. You either have a machine where you accept there is no privacy from the anticheat, or you don’t play those games.

Yeah sure, but that fits into what I’m saying of just “don’t use kernel-level anticheat on a device where you don’t want to sacrifice all your privacy” no?

I don’t really follow what you’re asking. If a device is reachable to be attacked over a network then yes it is by definition at risk of attack? Does that answer?

Again, no, beyond just using a separate machine. You have no privacy from the anticheat on the device it runs on. That’s kind of the point of them in the first place. You can still use it if you have a separate device or even just don’t care about that, but there’s nothing “safe” about it privacy-wise.

Dedicated hardware will keep the information you don’t expose to that device safe, but you still don’t have any privacy from the anticheat on that device.

What do you mean by cross-contaminate? If a network attack cannot reach another PC then again, definitionally, no, that PC cannot be affected by the attack.

What do you mean?

Kernel-level Anti-cheat is already safe.

Could you explain how a rootkit can be considered safe, given that cybersecurity generally agree kernel-level anti‑cheat may pose risks to both security and privacy?

Minimize performance loss

I agree it’s not intended for kernel anti‑cheat and is only a bonus; I was referring to running Windows/Linux in a VM and the potential for degraded GPU/CPU performance without GPU/CPU passthrough. I will update the first post after some replies.

Native app when OS is safe by default.

From my understanding, macOS and Linux do not accept kernel‑level anti‑cheat by default; on Linux it’s possible only if the specific application is granted root privileges.

FOSS firmware for routers doesn’t exist. OpenWRT uses firmware blobs.

If that’s true, I’m confused about how this works. Guide

Marginally worse network performance.

Thank you for contributing that information.

How is this related to kernel level anticheat? They don’t exist on Linux and macOS.

This applies to point 2

2. When that isn’t feasible, provide a clear path to run non‑kernel anti‑cheat versions so players don’t have to research each game’s anti‑cheat model every time.

Please don’t post AI slop. This thread has 0 value.

The thread is for discussion, and I’m using an AI (not OpenAI or Claude) to reduce stylometry—please keep responses civil; I’ll do my best to contribute constructively.

Yeah sure, but that fits into what I’m saying of just “don’t use kernel-level anticheat on a device where you don’t want to sacrifice all your privacy” no?

(Text Edited. Sorry for confusion.)

Yes, and I suggest adding that side-note to the guide warning against using kernel‑level anti‑cheat on devices — this would show gamers they don’t have to trade privacy for a good gaming experience. A one‑page section on both kernel anti-cheat and non-kernel anti-cheat games could also help gamers on which path to choose.

Personally, I used to feel locked into Windows for gaming, but discovering titles like Arc Raiders and Helldivers running on Linux has given me more peace of mind.

It would also help gamers avoid a false sense of security from dual‑booting or sandboxing. Anyway, I have some questions about your earlier replies.

As I mentioned, this is really only possible with a dedicated machine or VM if the game allows it (which I suspect it will not if it has a kernel level anticheat). There are no mitigations. You either have a machine where you accept there is no privacy from the anticheat, or you don’t play those games.

I don’t really follow what you’re asking. If a device is reachable to be attacked over a network then yes it is by definition at risk of attack? Does that answer?

Again, no, beyond just using a separate machine. You have no privacy from the anticheat on the device it runs on. That’s kind of the point of them in the first place. You can still use it if you have a separate device or even just don’t care about that, but there’s nothing “safe” about it privacy-wise.

Dedicated hardware will keep the information you don’t expose to that device safe, but you still don’t have any privacy from the anticheat on that device.

What do you mean by cross-contaminate? If a network attack cannot reach another PC then again, definitionally, no, that PC cannot be affected by the attack.

I now understand that a device with kernel‑level anti‑cheat is unsafe, but I need help understanding how it can attack beyond its own boundaries.

From what I gather, a PC with kernel anti‑cheat could potentially compromise the home network and put other devices on the router (laptops, phones, mini‑PCs, other PCs using the wifi and LAN) at risk. Please correct me if I’m mistaken.

By “cross‑contaminate”, I mean the gaming PC could inject spyware or malware into devices (keyboard, mouse, headset), which might then infect other systems when those devices are connected. Would Linux and macOS antivirus/defenses block this, or does that still pose a real risk?

I don’t understand how @anonymous588’s AI slop is going to make kernel module safer from the security standpoint. I’m not a native English speaker, but the term safety doesn’t apply to privacy. If you want to say “to make x safe from a privacy perspective”, you use the word private, not safe.

No.

It isn’t rootkit. Microsoft reviews and manually approves every code that runs in kernel mode from now onward, just like they do for drivers. Patchguard, driver signature enforcement guarantees that.

Anticheat developers are painfully aware of the fact cheaters need to enter kernel mode. If you were to actually study the topic, you will find that attackers pivot to kernel using insecure device drivers, not anticheats. Anticheats are heavily hardened against exploitation. If you don’t want to get hacked - don’t use a gaming mouse. It will introduce a larger attack surface than a kernel AC.

Regarding your AI slop suggestion - how will hotcakex tweaks help hardening anticheats?

???

How can you not “pass” a cpu?

I don’t understand what you’re trying to say here. What is a native app in this context?

On Windows you’re also presented with an UAC prompt, yes.

Both games can collect the same amount of information about your system without needing to enter kernel mode. You’re signing off your privacy rights the moment you launch a game.

It can’t any more than any other untrusted or compromised device. There aren’t really any mechanisms to attack other devices that require anything special running in the kernel (root is sufficient).

In terms of whether or not and to what degree you should isolate a device with kernel anticheat from other devices you own, you should treat it as you would any other device you don’t trust.

It won’t. That doesn’t mean they’re safe though obviously.

Of course it can.

Those aren’t the same concept though. I would say safe in terms of privacy would refer to mitigating the issues of using something inherently non-private.

Cars are dangerous, deadly machines, and when we talk about making them more safe we mitigate the inherent risks that come with operating one.

To be clear, I don’t have an issue with this fact, and I appreciate where the misunderstanding is coming from, but I think you are way too aggressive in arguing with someone who is a native English speaker about whether or not something is valid English.

You should probably take a step back and realize you might have something you can learn here, if you’re interested in that kind of thing.

Actually, yes!

People often colloquially refer to software they think is bad in terms like “rootkit” or “spyware” even if it technically isn’t malicious enough to meet those definitions in order to draw comparisons between the negative aspects of the software and other obviously bad malware.

This is way too broad of a statement. Sure, some might be. And the problem privacy-wise is the anticheat itself, not another attacker exploiting it. You’re missing the point.

Absolutely false. All Operating Systems provide at least some protections to processes from undue interference and snooping by others, especially when they run in separate security contexts. Something running in the kernel bypasses all those protections and can access whatever it wants.