Why Can’t Valve Anti-Cheat (VAC) Stop Kernel Cheats?
Are you wondering why the Valve Anti-Cheat (VAC) system cannot prevent kernel-based (Ring 0) cheats? Learn the technical background of the cheating problem in CS2 and the differences between Ring 3 and Ring 0.
Encountering cheaters in competitive games on Steam, especially Counter-Strike 2 (CS2), is undoubtedly every player's biggest nightmare. Many players ask, "Why can't a massive company like Valve completely end cheats?" or "Why doesn't the VAC system work?" In particular, "Kernel-level" cheats sold at exorbitant prices on the market play with the VAC system like a toy.
So, why is Valve Anti-Cheat (VAC) insufficient against these hardware and kernel-level cheats? To understand the answer to this question, we need to take a closer look at how computer operating systems work and their "privilege levels."
What are Ring 3 (User Mode) and Ring 0 (Kernel Mode)?
Your computer's operating system (e.g., Windows) is divided into different privilege levels (Rings) for security and stability purposes:
Ring 3 (User Mode): This is the area where normal applications (Discord, Google Chrome, Steam, and most games) run. Programs in this area cannot directly interfere with hardware or the heart of the operating system.
Ring 0 (Kernel Mode): This is the heart of the operating system. Your graphics card drivers, antivirus programs, and the most fundamental codes of the system run here. They have full access and control over everything on the computer.
This is where the fundamental problem begins: Valve Anti-Cheat (VAC) operates at the Ring 3 (User Mode) level on your system. However, modern and expensive cheat software is designed to operate at the Ring 0 (Kernel Mode) level.
How Do Kernel Cheats Bypass VAC?
There is a golden rule in computer science: "Software with lower authority cannot audit or see software with higher authority."
A cheat running at the kernel level (Ring 0) takes root in the deepest parts of the operating system. When VAC, running in Ring 3, scans the game's memory looking for cheats, the Kernel cheat tricks the operating system and sends a message to VAC saying, "Everything is clean here, no cheats." Since VAC's privileges are limited, it is technically impossible for it to detect this lie. In short, the Kernel cheat becomes invisible to VAC.
How Do Riot Vanguard and Others Succeed?
Valorant's anti-cheat system, Riot Vanguard, or Epic Games' Easy Anti-Cheat (EAC) systems operate at the Ring 0 (Kernel Mode) level on your computer. That is, they fight on the same battlefield, at the same privilege level as the cheat software. This way, their rates of detecting and blocking kernel-level cheats are much higher.
Why Doesn't Valve Make a Kernel-Level VAC?
The question players ask the most is: "Then why doesn't Valve make a Kernel Anti-Cheat like Vanguard?" There are several philosophical and technical reasons for this:
Privacy and Security Concerns: A program running at the kernel level can theoretically access all your files, passwords, and bank information on your computer. Additionally, a security vulnerability that could occur in this anti-cheat software could cause your computer to be taken over by malicious hackers or cause the system to crash (Blue Screen). Valve avoids getting into this to not violate user privacy.
Linux and Steam Deck Compatibility: Valve has made massive investments in the Linux ecosystem with SteamOS and the Steam Deck. A deep anti-cheat system written specifically for the Windows kernel is a structure that is very difficult to run on Linux. Valve wants its games to be playable freely on every platform.
What is Valve's Solution? (AI and Server-Based Protection)
Instead of entering the Kernel war, Valve aims to solve the problem with Server-side and Artificial Intelligence (AI).
VACnet (Valve's AI-based cheat protection system) analyzes players' mouse movements, aiming speeds, and behaviors. The AI detects millisecond reactions or tracking behind walls (Wallhack, Aimbot) that are impossible for a human on the server side. In other words, no matter how much the cheat hides itself on the computer, it gets caught thanks to the "superhuman" movements it sends to the server. It also aims to protect normal players by matching cheaters among themselves with the Trust Factor system.