Skip To...
Since almost every PC game these days comes with online functionality, most players expect them to be installed with anti-cheat software to deter cheaters and hackers from ruining their gaming moments. And speaking of online games, the 2020-released Genshin Impact is still one of the most popular games played, especially when people want to take a break from frustrating competitive matches and turn into frustrating gacha rolls instead. But does Genshin Impact protect their users’ enjoyment using an anti-cheat, especially since the game has a PC version prone to abuse?
What Anti-Cheat is Being Used by Genshin Impact PC?
Like most other high-profile online games, miHoYo deploys an anti-cheat program to prevent player abuse like hackers, cheaters, etcetera for Genshin Impact. Although the game doesn’t really have competitive modes (aside from unique events) and the actual name of the program isn’t disclosed by miHoYo, it seems the drivers used as Genshin Impact’s anti-cheat are a first-party program called “mhyprot2.sys” and “mhyprotect.sys.”
You can find both mhyprot2.sys and mhyprotect.sys files in the temp directory of your Windows PC. Open the Start menu then type in “%temp%” or enter “%temp%” in the Run command window that you can open by pressing Ctrl+R.
While it is not known how effective Genshin Impact anti-cheat runs on PC, so far no players have reported about someone hacking in materials or Primogems or dealing absurd damage against enemies. Usually, weird “experiments” like that only seem to happen on fan-made invite-only, exclusive private servers. But that doesn’t mean there are no problems surrounding the anti-cheat program.
The Problems with Genshin Impact’s Anti-Cheat
Back in September 2020, miHoYo was caught under flak when PC players noticed that Genshin Impact’s anti-cheat program is running on a “kernel-level” and continued to run after players exited or even uninstalled the game. Most people are concerned that the program is used as a back door for data privacy issues — especially considering that miHoYo is based in mainland China and, unfortunately, has to follow the government ruling regarding any information request, whether the company like it or not. Later, although the developer clarified that mhyprot2.sys does not read and save any information, it noted the concern and modified the system,
Thanks to the kind feedback of Travelers, we have realized that the default activation of this mechanism may have caused some privacy concerns for players. Therefore, we have decided to make modifications so that within the next 30 hours, the anti-cheat program will no longer run in the background after the game is closed nor after the game is uninstalled; furthermore, we will strengthen our anti-cheat mechanisms that operate while the game is running to better prevent the use of plug-ins and third-party software.
The kernel is basically the “core” of your computer’s operating system and has total control over all operations or programs carried out by your computer. Of course, this means if any software somehow is able to operate at the same level as the kernel — or called a “kernel-level driver or program” — it can easily make changes to your system without you even noticing.
Meanwhile, there also exists a “lower-leveled” or user-level anti-cheat in the market, although considered to be less effective (but safer) than kernel-level programs. One of the well-known programs is Valve Anti-Cheat. A number of online game developers also deploy server-side anti-cheat to detect discrepancies between server and player data, such as Activision-Blizzard’s Richochet and Ubisoft’s FairFight.
However, the problem doesn’t stop there. Apparently, while miHoYo has made changes to mhyprot2.sys, the game’s anti-cheat driver is now found susceptible to being abused by malicious third parties. In August this year, American-Japanese cybersecurity company Trend Micro released a paper detailing how mhyprot2.sys can be “integrated into any malware” regardless of whether Genshin Impact is installed in the target computer or not. It then can be used to kill antivirus and deploy ransomware into the target’s PC.
During the last week of July 2022, a ransomware infection was triggered in a user environment that had endpoint protection properly configured. Analyzing the sequence, we found that a code-signed driver called “mhyprot2.sys”, which provides the anti-cheat functions for Genshin Impact as a device driver, was being abused to bypass privileges.
In regards to mhyprot2.sys vulnerabilities, unfortunately, there’s nothing we can do since the driver itself is a valid program. It’s just that bad actors have found a way to utilize it to “covertly deploy” their malware onto their target’s devices.
[…] this module is very easy to obtain and will be available to everyone until it is erased from existence. It could remain for a long time as a useful utility for bypassing privileges. Certificate revocation and antivirus detection might help to discourage the abuse, but there are no solutions at this time because it is a legitimate module.
