RT-AC87U AiProtection

[Smedley]

Does the Malicious Site Blocking feature of AiProtection send URLs to Trend Micro for validation, or is a Black List of URL's downloaded and maintained in the router itself?

Also, how does the Infected Device Prevention and Blocking work? What information is transmitted to Trend Micro?

 

[watusi]

It's a mystery, isn't it?

I think it's odd that Asus adds all this "protection" stuff and then tells us NOTHING about what it is doing.

Trust us?

I think it uses a downloaded list. There is a separate section for using DNS-based filtering services. That would, indeed, be sending all of your DNS requests to a third-party DNS provider.

 

[Smedley]

It is indeed a mystery. I have tried a number of different Google searches and can't find an explanation as to what information, if any, is being sent to Trend Micro, where the URLs are screened, or how it determines if a LAN device is infected and should be blocked. I would hope if URLs are being sent somewhere, it would only be the domain portion, but it would be reassuring to have that confirmed.

I would also think that there would be a significant performance impact if URLs, or parts thereof, are first sent to the "cloud" for real-time comparison against a black-list.

I am surprised that there isn't more concern about the potential impact to the privacy of our information and our web browsing history.

I see the source code is available on the Asus support site. If someone could point me to the likely modules that perform the Trend Micro functions, I could try to read through the code to figure out how it operates.

 

[watusi]

Are you using Asus unmodified code, or are you using AsusWrt-merlin?

I think in either case, the source code is easier to consume if you look at the Merlin code. I doubt anything would be different in this part.

You can simply view the code on gitHub! (you don't need a gitHub account.)

https://github.com/RMerl/asuswrt-merlin

I'm a newbie, so maybe others can point you to likely places in the code. I can only give you the 10,000-foot view. Start at release/src/router.

 

[watusi]

I doubt very much that it is sending anything to Trend Micro for the purpose of screening. That would impact performance too much. I do have the feature turned on, and have noticed no difference in performance, no delay in bringing up pages, etc.

On the other hand, if it does discover something then I would presume it would send a report to TrendNet, at least for the purpose of collecting statistics. More transparency would be nice. It would be nice to know if and how this information is anonymized.

I am not using a DNS protection option. All that is really doing is setting your DNS to an alternative provider that provides filtering, and giving you some nice checkboxes that match the options available on those services. It's just putting a pretty face on it. You switch the DNS to, for example, OpenDNS, manually (override DHCP) and then go sign-up at OpenDNS and set your categories. Big whoop, it puts everything all in one place.

In theory, this should not impact performance, since you need to do DNS anyway. There might be some performance loss (or gain) because then you are not using your ISPs DNS servers. Many people find, for example, that Google's servers are more performant than their own ISP's DNS.

It's hard to search for this, because Asus has recycled the term AIProtection. They've used the same term in the past for some kind of BIOS thingy on their motherboards. Something to do with over-clocking...

 

[watusi]

Easy search: just go to the GitHub page, and then type in AiProtection in the search box. Quite a few hits, I didn't go past the first page, which shows hits in various web pages in the UI.

 

[RMerlin]

The TrendMicro code is closed source, so there won't be much for you to look at there. Only a sub portion of the userspace code is open source, and all it does is pretty much stop/start the engine.

I don't know the details either, but I can tell that it DOES use a signature file (newer versions of the firmware will even report the signature version on the Firmware Upgrade page). There are plans to have an automatic update of the signature files, however I don't know if it's functional yet or still a work in progress.

Checking back with an external server isn't as slow as you might think BTW. Your browser already does that (be it Microsoft's Smart Screen, or Firefox/Chrome's own malicious website checks done with Google's online database). Most modern virus scanners do as well, like Norton Security 2015. That does not mean it's the case with the TrendMicro router engine - I simply don't know.

When you first enable the feature there's a rather long legalese you have to accept. You might want to read it to see if there's more details.

 

[Smedley]

Checking back with an external server isn't as slow as you might think BTW. Your browser already does that (be it Microsoft's Smart Screen, or Firefox/Chrome's own malicious website checks done with Google's online database). Most modern virus scanners do as well, like Norton Security 2015.

Thanks to Merlin and watusi for the information... I am happy to learn that AiProtection uses downloaded signature files.

I understand that many security packages and/or browser add-ons check URLs with external databases. That is why I turn them off or otherwise remove them.

With all the data aggregation taking place, I prefer not to take the chance of having my browsing history logged or tracked where it may be associated with personally identifiable information. Where I chose to do my online shopping, banking, etc. should not become marketable information for someone trying to profit off my attempts to keep my computers and networks malware free.

 

[boyet]

Disabled it.

First time poster here as I just had the 87U running for just over a month now. I disabled it after trying it since the beginning because: there's not much info about this and I don't want any privacy intrusion just as I disable web browser's plugins; it slowed down my download speed by almost half based on IPV6 Comcast speed testing (I have 105 mbps down) although it was hardly noticeable (after I turned off AIProtection, the speed went back to normal); it was reporting to me that it was intercepting/blocking network access to my NAS drive, which should be allowed and I have no control to fix this . I'm just using latest Asus stock firmware.

 

[LoneWolf]

Thanks to Merlin and watusi for the information... I am happy to learn that AiProtection uses downloaded signature files.

I understand that many security packages and/or browser add-ons check URLs with external databases. That is why I turn them off or otherwise remove them.

With all the data aggregation taking place, I prefer not to take the chance of having my browsing history logged or tracked where it may be associated with personally identifiable information. Where I chose to do my online shopping, banking, etc. should not become marketable information for someone trying to profit off my attempts to keep my computers and networks malware free.

If Trend Micro or others did this, it would not only affect their sales (e.g., a security issue developed by someone selling you an appliance in charge of your Internet security), but would require actually being able to identify you as an individual and market back to you based on this. With those in mind, I think your concerns are unfounded, with no disrespect intended.

Plenty of professional firewalls do just this, even with a signature file. Watchguard's Webblocker feature uses the Websense cloud to identify sites; it is just one example. There is no noticeable latency, and one advantage is that it is constantly updated. To reduce latency, a firewall like the Watchguard caches a number of recent URLs to ensure that regularly used domains don't require constant refresh.

 

[watusi]

FYI, I have the following turned on:

- Malicious Sites Blocking
- Vulnerability Protection
- Infected Device Prevention and Blocking
- Web & Apps Filters (no client list)

(There is some seemingly-unrelated feature for which the last one has to be on, even though I have no client list or boxes checked. Forget what that feature is...)

DNS filtering is disabled. I use Cox DNS.

I get close to 130mbit/sec from Cox (they promise 100) both before and after enabling this stuff.

 

[Smedley]

If Trend Micro or others did this, it would not only affect their sales (e.g., a security issue developed by someone selling you an appliance in charge of your Internet security), but would require actually being able to identify you as an individual and market back to you based on this. With those in mind, I think your concerns are unfounded, with no disrespect intended.

I agree that a company like Trend Micro would likely not use aggregated information to themselves market back to their customers. My concern would be that they sell the information to a third-party for marketing or other purposes.

If they were so inclined, associating a MAC address, or fixed IP address, to an aggregated URL history would be pretty straightforward. Attaching a name, or names, to the address might be a bit more challenging, but likely achievable, if joined with data from other aggregators (e.g. Google, Yahoo, Acxiom).

Many companies track, collect and utilize or sell our personal information without our knowledge. If one cares to limit their information leakage, vigilance is required. We cannot just trust that commercial enterprises will do the right thing in this regard. I would hope that Trend Micro would not do anything to compromise our privacy, but I for one would like to know what information is being sent that "might" be logged.

If others are not concerned, it's a non-issue, regardless of the mechanics of the AiProtection mechanism.

 

[watusi]

FYI, my first one! I think I'm sold...

I was re-installed Xcode 5.1.1 on my tired old MacBook after update from Xcode 6.1 to 6.1.1 mysterious wiped-out my 5.1.1 (a common occurance, sigh. Best approach is to move any Xcode's installed to an external drive, then disconnect the drive during the install...)

Anyway, the "verification" step takes a long time, and it's an old tired Core2 duo, and I couldn't remember the command-line to mark it as "verified" and skip the verification.

So I googled for "OSX install skip verify" or some-such, and clicked on the top entry.

See the attached image.

Yea, I'd say that a landing page for a search on bypassing downloaded software verification would be a great place to put malware.

 

[RMerlin]

Again, has any of you guys actually read the EULA? It's shown to you the first time you activate the feature, and it tells you how TrendMicro handles your privacy.

If you didn't read it and just blindly accepted it, you can access it directly with this URL (just adjust the router's IP):

http://192.168.1.1/tm_eula.html

 

[watusi]

Now, I don't know how up-to-date the data is, though...

I did some searches on that site name and "malware" and it looks like maybe they had a problem in 2010.

Better safe that sorry though. If it's a site that I really, really want to visit, I will browse on my iPad, where the is little chance of foul play having any effect.

There are plenty of landing pages in the sea.

 

[Smedley]

Again, has any of you guys actually read the EULA? It's shown to you the first time you activate the feature, and it tells you how TrendMicro handles your privacy.

If you didn't read it and just blindly accepted it, you can access it directly with this URL (just adjust the router's IP):

http://192.168.1.1/tm_eula.html

Thanks Merlin!

 

[watusi]

Again, has any of you guys actually read the EULA?
http://192.168.1.1/tm_eula.html

Why, of course not!

Thanks!

 

[watusi]

FYI, I've gotten my first popup from within an iOS native app. Was wondering when that might happen and how it might be handled!

Many iOS apps are hybrid - they use a UIWebView for the UI. And may apps that are mostly truly native still use a UIWebView for some content. News and other "feed" type apps tend to do this.

Of course, the popups could create some unexpected results! Especially if the native app is doing Ajax and then gets some popup stuck in the middle of results!

Anyway, it was "interesting". I was using my favorite (and not long for this world...) new aggregator, Zite. (Flipboard bought them. They are "incorporating Zite features into Flipboard." Yea, right!)

I got a popup indicating a site with low-quality, scraped content. But I still got the news content.

I am assuming it one of those "from around the web" footers that has links to "sponsored content" (which is not always marked as "sponsored" or "advertisement".

I'm surprised that it blocked this, though.

There are some dependencies that don't make much sense. You MUST turn on Parental Control/Web & Apps Filters in order for Malicious Sites Blocking to work. (Actually, if you turn on Malicious Sites Blocking, it will turn on Parental Control/Web & Apps Filters for you.)

Note that I did NOT select any clients or content categories in Web & Apps Filters.

It seems you get filtering of "low-quality scraped sites" whether you want that filtered or not, so long as you turn on Web & Apps Filters and/or Malicious Sites Blocking.

Turned this stuff off, since I really do not know what it is doing or how to really control it. It' remains in the "interesting, but not practical" category...

 

[FlipFlop]

I've monitored some of it's behavior. I've noticed that one thing the router does (if you have enabled any part of AiProtection) is sending the full url of visited webpages to Trend Micro. Within between 20 seconds to a few minutes, a Trend Micro bot then connects to that exact same url, if your original url uses GET then it can even include your session tokens and all the other key/pairs that were in the original url. So it can receive an exact copy of the page you visited, even if you're logged in on a regular/unencrypted http:// website. I haven't monitored what happens with POST requests yet.

This means that Trend Micro can collect, monitor and store your complete browsing history AND results and technically can even take over (unsecure) web sessions by using the token you use yourself. This is a huge privacy and security issue.

I recommend everyone who uses a router with AiProtection and cares about privacy to completely disable it, and to take other security measures to make sure you don't get infected by malicious sites, and update firmware regularly to protect against vulnerabilities.

In this case the IP range of the Trend Micro botnet was in the 150.70.*.* range, but that might not always be the case.

 

[fax]

I am not sure where is the scoop here. If you activate the URL filtering then you need to transmit the URL to be able to check it. This is common to many cloud based AV solutions. The privacy issue is there if you believe that a security company would not do its job and do something else with the data. A kind of a suicide behaviour that make no business sense.