Active Anticheat Question

[Slayer Form]

In case someone knows about, there is a folder from the anticheat named "Active Anticheat" in Temp files (%temp%) which even when the game is not running still says that cannot be deleted because it's being used in the background, does that mean the Active Anticheat is working/spying to say so out of Aion?
I am trying to play on a private server using it and it's unclear to me if it's an actual spyware that has kernel access and takes screenshots/collect personal data out of the game or not.
Sorry for the topic choice, I am new and wasn't sure what to pick.
Thank you in advance.

[AlmostGood]

i would never use main PC to run some russian basement made malware antibots, they doesn't have company registered, any terms or privacy policy or entity name. It could be as well botnet with features to block game cheats added on top, you basically trust some unknown guys they are saints :D

[Xtellia]

1 minute ago, AlmostGood said:

i would never use main PC to run some russian basement made malware antibots, they doesn't have company registered, any terms or privacy policy or entity name. It could be as well botnet with features to block game cheats added on top, you basically trust some unknown guys they are saints

Finally I see a good opinion on this topic! All these "protection platforms" are actually disguised malware.

[Anarchy]

Okay so lets start with one thing, despite what AlmostGood says, anyone who has anticheat which uses a driver DO have a registered company, because you literally can't get EV code sign keys without a registered corporate entity and for windows 10 kernel drivers you have no choice but to use EV keys. 

 

Anyway, the reason you can't delete the temp directory created by AA (or any other driver-based anticheat for that matter), is because of how the drivers work. Once DriverUnload is called, the driver is considered unloaded by the OS, but the driver file itself is still loaded in the kernel until the service has been stopped from usermode.

 

If you really want to delete the dir, you have 2 options.

1. Reboot your pc, then delete it.

2. open cmd (as admin) and type "net stop PRProt" then delete it.

 

Once all games are closed, AA unloads after a specified time (something like 30 seconds, don't remember exactly) and then DriverUnload is called, at this point there is no kernel code running from AA anymore.

[xdem]

6 hours ago, Anarchy said:

Okay so lets start with one thing, despite what AlmostGood says, anyone who has anticheat which uses a driver DO have a registered company, because you literally can't get EV code sign keys without a registered corporate entity and for windows 10 kernel drivers you have no choice but to use EV keys. 

 

Anyway, the reason you can't delete the temp directory created by AA (or any other driver-based anticheat for that matter), is because of how the drivers work. Once DriverUnload is called, the driver is considered unloaded by the OS, but the driver file itself is still loaded in the kernel until the service has been stopped from usermode.

 

If you really want to delete the dir, you have 2 options.

1. Reboot your pc, then delete it.

2. open cmd (as admin) and type "net stop PRProt" then delete it.

 

Once all games are closed, AA unloads after a specified time (something like 30 seconds, don't remember exactly) and then DriverUnload is called, at this point there is no kernel code running from AA anymore.

 

I completely doubt that legimetely getting EV is the only possible way to distribute a driver for windows

[Xtellia]

8 hours ago, xdem said:

 

I completely doubt that legimetely getting EV is the only possible way to distribute a driver for windows

They find a homeless guy, pay him 100$ and found a company on his documents. That's how things work nowadays.

[AchYlek]

On 6/5/2021 at 9:59 AM, Slayer Form said:

In case someone knows about, there is a folder from the anticheat named "Active Anticheat" in Temp files (%temp%) which even when the game is not running still says that cannot be deleted because it's being used in the background, does that mean the Active Anticheat is working/spying to say so out of Aion?
I am trying to play on a private server using it and it's unclear to me if it's an actual spyware that has kernel access and takes screenshots/collect personal data out of the game or not.
Sorry for the topic choice, I am new and wasn't sure what to pick.
Thank you in advance.

disable this service

 

 

[Slayer Form]

Thank you so much for the offered details, I decided to delete the private server for being considered as risky at this rate.
My last question is, deleting the launcher/game client and also the temp folder is enough or is there/can be there something else hidden from AAC left in my PC?
Thank you.

[Anarchy]

14 hours ago, xdem said:

 

I completely doubt that legimetely getting EV is the only possible way to distribute a driver for windows

well you can't really steal an EV key like they did in the bad old days because even for the giant corporate guys the EV key has a hardware token, so unless you steal a hardware token you can't sign your files with it, not impossible sure but nothing like it used to be.

 

sure you can pay some guy with a corp to do it but that's still a legitimate corp which has to exist so if you were able to prove one of these guys was doing malicious shit you can report that to the CA and get the key revoked + the corp blacklisted.

 

idk why you guys think there's something specially bad about drivers, there's nothing you can access from kernel mode which you can't somehow access from usermode, even for kernel-specific structures you can use exploitable drivers (asus, cpu-z, gigabyte, intel, the list is endless) where you can sideload unsigned driver code to the kernel.

 

if a shady russkie has ONLY usermode access to your PC and he wants to fuck your shit up, your shit is gonna be fucked no matter what you do, it's not gonna get fucked more just because the guy has a driver.

 

  

4 hours ago, AchYlek said:

disable this service

 

 

that's not the driver service, that's just the service he uses to transfer errors from kernelmode to usermode, the actual service is PRProt, it's set to not be displayed in the services window (yes thats an option) so to stop it you have to use cmd "net stop PRProt" will stop it

 

  

35 minutes ago, Slayer Form said:

Thank you so much for the offered details, I decided to delete the private server for being considered as risky at this rate.
My last question is, deleting the launcher/game client and also the temp folder is enough or is there/can be there something else hidden from AAC left in my PC?
Thank you.

if you wanna be 100000% sure it's gone, run cmd "sc delete PRProt" that will delete the actual service for the AA driver, once the service is gone it's not gonna come back unless you run the AA launcher again

Edited June 6, 2021 by Anarchy

[Slayer Form]

Quote

if you wanna be 100000% sure it's gone, run cmd "sc delete PRProt" that will delete the actual service for the AA driver, once the service is gone it's not gonna come back unless you run the AA launcher again

Thank you much, I did so and it resulted as "SUCCESS", also rebooted but for some reason the service is still there..

[Anarchy]

8 minutes ago, Slayer Form said:

Thank you much, I did so and it resulted as "SUCCESS", also rebooted but for some reason the service is still there..

because as i said, that's not the driver service, you can delete it from services menu or use the same command but instead of PRProt, "sc delete AAErrorPort"

 

but as you can see it's a "manual" service, so it won't start by itself or anything, if you deleted the temp dir anyway the service files are gone so it can't start even if it wanted to

[Slayer Form]

I understood now, thank you very much Anarchy! Truly appreciated

[xdem]

1 hour ago, Anarchy said:

 

idk why you guys think there's something specially bad about drivers, there's nothing you can access from kernel mode which you can't somehow access from usermode, even for kernel-specific structures you can use exploitable drivers (asus, cpu-z, gigabyte, intel, the list is endless) where you can sideload unsigned driver code to the kernel.

 

 

kernel mode is scary because it can do things at full privilege without the user's knowledge globally on your hardware. usermode has certain limitations and to do things that kernel mode can the api has to be accessed which goes through several security layers given the users notice. kernel mode bypasses all this, so I don't agree with what you are saying about the destructive capacity of each mode

[Anarchy]

6 hours ago, xdem said:

 

kernel mode is scary because it can do things at full privilege without the user's knowledge globally on your hardware. usermode has certain limitations and to do things that kernel mode can the api has to be accessed which goes through several security layers given the users notice. kernel mode bypasses all this, so I don't agree with what you are saying about the destructive capacity of each mode

bro name 1 thing you can do from kernel mode "full privilege" that you cant from usermode that you think is "more destructive"

 

and regardless of all that bullshit you guys keep talking about how dangerous kernel is

 

>>You can load unsigned kernel code from usermode using vulnerable legitimate drivers which work to this day<<

 

i'd link you a topic to another forum but i feel that might fall afoul of the rules, but people literally post hundreds of drivers which have vulnerabilities in them to allow injection of your own code, or hell even your own entire fucking unsigned driver, into the kernel

 

this magic scary bullshit about kernel mode, guess what, if some shady guy who has usermode access on your PC wants to do all that scary kernel shit, THERE'S NOTHING STOPPING THEM.

 

usermode is not safer than kernel mode if you're running any application of suspect legitimacy, because there's nothing stopping them from being in kernel from user.

[xdem]

1 hour ago, Anarchy said:

bro name 1 thing you can do from kernel mode "full privilege" that you cant from usermode that you think is "more destructive"

 

and regardless of all that bullshit you guys keep talking about how dangerous kernel is

 

>>You can load unsigned kernel code from usermode using vulnerable legitimate drivers which work to this day<<

 

i'd link you a topic to another forum but i feel that might fall afoul of the rules, but people literally post hundreds of drivers which have vulnerabilities in them to allow injection of your own code, or hell even your own entire fucking unsigned driver, into the kernel

 

this magic scary bullshit about kernel mode, guess what, if some shady guy who has usermode access on your PC wants to do all that scary kernel shit, THERE'S NOTHING STOPPING THEM.

 

usermode is not safer than kernel mode if you're running any application of suspect legitimacy, because there's nothing stopping them from being in kernel from user.

 

usermode goes through security policies while kernel mode doesn't you can't say that they are equally scary