How Does Easy Anti-Cheat (EAC) Work?

Easy Anti-Cheat (EAC) is a kernel-mode anti-cheat owned by Epic Games. It loads a signed Windows driver at game launch, runs in ring 0 alongside the kernel, registers process and image-load callbacks via PsSetCreateProcessNotifyRoutine and PsSetLoadImageNotifyRoutine, scans process memory and loaded drivers against signature databases streamed from Epic servers, and exports behavioral telemetry for server-side review. EAC protects Fortnite, Apex Legends, Rust, Dead by Daylight, and roughly 130 other titles.

How Do Anti-Cheats Detect Aimbots?

Anti-cheats detect aimbots through three layered techniques: signature scanning (matching cheat binaries and known code patterns in memory), input/behavioral analysis (statistically anomalous mouse movement and reaction time distributions), and server-side validation (replay re-simulation comparing the player's reported view angles against what the demo file shows). Aimbot detection has shifted heavily toward behavioral ML in 2025-2026 — Anybrain, VACnet, Zakynthos, and Riot's ML pipeline are the new battleground.

How Does BattlEye Detect Cheats?

BattlEye is a kernel-mode anti-cheat from BattlEye Innovations operating in PUBG, Rainbow Six Siege, Arma 3, ARC Raiders, and other titles. It loads BEDaisy.sys as a signed driver, performs signature scanning of process memory, hooks kernel callbacks for process and image-load events, sweeps PCI configuration space and physical memory for DMA cards, validates module integrity via remote-server hash queries, and exports behavioral telemetry to BattlEye's backend for delayed wave bans.

What Is a Kernel-Level Anti-Cheat?

A kernel-level anti-cheat is anti-cheat software that runs in ring 0 — the same privilege level as the Windows kernel — via a signed driver loaded into the OS. This gives it visibility into all processes, threads, drivers, kernel callbacks, and physical memory on the system. Examples: Easy Anti-Cheat (EAC), BattlEye (BEDaisy.sys), Riot Vanguard (vgk.sys), Activision Ricochet, NeacSafe, Zakynthos. Defense Matrix and VAC are NOT kernel-level — they run in user mode.

What Is Riot Vanguard?

Riot Vanguard is Riot Games' kernel-mode anti-cheat for Valorant and League of Legends. It loads vgk.sys as an Early Launch Anti-Malware (ELAM) driver at Windows boot, requires TPM 2.0 and Secure Boot on Windows 11, enforces IOMMU on supported chipsets, hooks all kernel callbacks for process and image events, and bans aggressively at the hardware level — Riot logged 2.3M+ HWID bans in 2025 alone, including a 340K-account wave in five days in January 2026.

How Easy Anti-Cheat (EAC) Works in 2026

EAC ships as a signed kernel driver (EasyAntiCheat.sys) plus a user-mode service that gates whether the protected game is allowed to launch. Once the game process starts, EAC takes over the integrity boundary between the title and everything else running on your machine. The 2026 EAC kernel rebuild (delivered to Fortnite in Q1) is roughly 3-4x faster at signature scanning than the late-2024 build and expanded its kernel memory pool coverage substantially.

Kernel driver: what actually loads

EAC loads as an early-launch kernel driver. On Windows 10/11 it requires Secure Boot to be enabled in 2026 for the heavy-protection titles (Fortnite shipped this on Feb 19, 2026 alongside the TPM 2.0 and IOMMU mandate). The driver maps into kernel space and exposes an IOCTL surface to the user-mode service, which in turn talks to Epic's kernel.eac-prod.on.epicgames.com and messaging-public.live.eac.gg endpoints. The user-mode service streams in fresh signatures and revocation lists each launch, so a "clean dump" of EAC's driver tells you only what it was checking yesterday — not what it ships tomorrow.

What EAC reads in 2026

EAC registers callbacks against process creation (PsSetCreateProcessNotifyRoutineEx), thread creation (PsSetCreateThreadNotifyRoutine), image load (PsSetLoadImageNotifyRoutine), and object handles (ObRegisterCallbacks). When any process tries to open a handle to the protected game, EAC sees the request, strips access rights it considers dangerous (PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_VM_OPERATION), and logs the caller. It walks loaded driver lists in kernel memory looking for unsigned or pattern-matched drivers, scans the running process list, hashes loaded modules against known-bad signatures, and sweeps a configurable set of kernel memory pools for cheat artifacts.

Behavioral telemetry and server-side detection

EAC is not a pure scan-and-ban system. It exports session telemetry — input timing, hit cadence, view-angle deltas, projectile pre-fire patterns — to Epic's backend where ML models flag statistically improbable play. The publicly visible result is delayed ban waves: a player can run a detected build for days or weeks, get scooped up in a heuristic flag, and get banned 48-72 hours after the actual offense. EAC's per-game integration also adds Unreal Engine hooks for things like RPC validation, replay re-simulation comparisons, and AntiCheatCommonUE checks Epic exposes to engine licensees.

Limits of EAC

EAC is not omniscient. It cannot read what it does not have visibility into — kernel-level reads from a separate signed driver, hypervisor-level introspection, or fully external DMA setups (FPGA + secondary PC) operate outside EAC's process boundary. The IOMMU+TPM+Secure Boot stack closes the cheap end of that gap (it's why Fortnite's Feb 2026 rule devastated the budget DMA market — see our DMA pillar). External signed-driver cheats with hardware spoofing remain in the gray zone where EAC's signature and behavioral systems are the actual battleground, not its memory-read primitives.

Where RawCheats sits relative to EAC

RawCheats ships external-mode software cheats with hardware-layer spoofing for the EAC-protected titles where external is still viable (Fortnite, Apex, Rust, Dead by Daylight). We don't operate inside the EAC process boundary — we operate next to it, behind a hardware fingerprint that doesn't tie to your main account. The relevant defensive surface for our users is not "EAC kernel reads of game memory" but "EAC HWID and behavioral correlation across ban waves." See our HWID Spoofer 2026 Guide for the hardware-fingerprint side.

What's next

Epic has signaled deeper Unreal-Engine integration (replay re-simulation, server-authoritative aim validation) and tighter Pluton tie-in for next-gen Windows machines. The trajectory is server-side and hardware-rooted, not driver-side. EAC's kernel driver is becoming the boring half of the system; the interesting half is the telemetry pipeline and the attestation handshake. For the working cheat user, that means hardware-clean machines and tournament-tier tuning matter more in 2026 than they did in 2024.

The EAC 2026 kernel rebuild — what changed

The Q1 2026 EAC kernel rebuild (shipped to Fortnite first, rolling to other titles through Q2) made several material changes. Signature scan performance: 3-4× faster than the late-2024 build, driven by more efficient multi-pattern matching algorithms in the scan loop. Memory pool coverage: expanded kernel memory pool surveillance, particularly the NonPagedPool regions where manually-mapped drivers historically hid. Callback registration: tighter use of ObRegisterCallbacks to lock down handle access to the Fortnite process. Behavioral telemetry: increased data export to Epic''s backend ML pipeline, supporting denser per-session analysis.

The rebuild''s practical impact: cheat developers who had stable Fortnite builds in late 2025 saw their builds become detection-risk in Q1 2026 as EAC''s scan coverage caught patterns that had previously evaded detection. The detection wave that followed the rebuild was significant for the consumer cheat market, and several mid-tier cheat providers lost detection-clean status they''d held for months. RawCheats'' Fortnite product (see Raw Fortnite) updated through the rebuild cycle and has maintained survivability through ongoing iteration. See our Fortnite Cheats 2026 Guide for the player-side timeline.