AiProtection - Do I really need it?

[Skeptical.me]

This is why I keep mine enabled, even though I am uncomfortable with sharing private data with Trend Micro:

I had a RT-AC87U and this issue showed up. I preformed an isolation test (shutting down each device in the LAN for 2 hours at a time) and that didn't help me find where the malware was. So, I thought it may have been in the router it self. I reset the RT-AC87U only to see the return of these attacks. Then I purchased an RT-AC86U only to find the attacks were still happening. They only stopped appearing in AiProtection "Two Way IPS" after I installed SkeyNet (Firewall) but that doesn't mean the Malware has gone. I have no idea where it is embedded, and the source MAC Address that AiProtection indicates being the source device doesn't show up in any scans I do of my network.

If I didn't have AiProtection I wouldn't have a clue that something like this was attacking my network.

 

[jsbeddow]

Just a few observations. I'm not sure why you suspected that the source of these attacks were due to inside (LAN side) malware on your own devices: the notation in the screenshot above seems to indicate these were External Attacks (although you obscured the IPs and MAC adresses, so hard to know for sure). Second point: as you said, it is Skynet that has significantly reduced or eliminated these attacks, so this is far better (and more up to date, daily), than the Trend Micro AiProtection. Personally, I was less and less comfortable with this TM "sharing" of data, so I moved over to the @john9527 LTS fork that has none of this built in (although I do somewhat miss the adaptive QOS).

Also, BTW, I wouldn't consider the level of "attacks" you were seeing to be anything close to true targeted attacks against you, they are simply the normal level of "background noise" that is to be expected on the internet today. The AiProtection was simply showing you that it knew how to defend against already known attack vectors: not that impressive in my opinion, and should simply be expected behavior from a router that is kept up to date with either the @RMerlin or @john9527 firmware.

 

[Skeptical.me]

Just a few observations. I'm not sure why you suspected that the source of these attacks were due to inside (LAN side) malware on your own devices: the notation in the screenshot above seems to indicate these were External Attacks (although you obscured the IPs and MAC adresses, so hard to know for sure). Second point: as you said, it is Skynet that has significantly reduced or eliminated these attacks, so this is far better (and more up to date, daily), than the Trend Micro AiProtection. Personally, I was less and less comfortable with this TM "sharing" of data, so I moved over to the @john9527 LTS fork that has none of this built in (although I do somewhat miss the adaptive QOS).

Also, BTW, I wouldn't consider the level of "attacks" you were seeing to be anything close to true targeted attacks against you, they are simply the normal level of "background noise" that is to be expected on the internet today. The AiProtection was simply showing you that it knew how to defend against already known attack vectors: not that impressive in my opinion, and should simply be expected behavior from a router that is kept up to date with either the @RMerlin or @john9527 firmware.

The way I know its probably Malware is the fact that when my Dynamic IP changes the attacks continue. How would the same attacks continue from the same IP ranges if the source didn't know my new IP address?

 

[jsbeddow]

The way I know its probably Malware is the fact that when my Dynamic IP changes the attacks continue. How would the same attacks continue from the same IP ranges if the source didn't know my new IP address?

The same reason I cited before: the basic internet background noise of malicious bots, scanners, etc...essentially probing every IP address available looking for vulnerabilities. I was seeing roughly the same level of activity in the TM AiProtection pages as you are, when I was using it (up until about three weeks ago, when I moved over to the @john9527 fork and stopped worrying about seeing every non-targeted attack).

 

[Skeptical.me]

The same reason I cited before: the basic internet background noise of malicious bots, scanners, etc...essentially probing every IP address available looking for vulnerabilities. I was seeing roughly the same level of activity in the TM AiProtection pages as you are, when I was using it (up until about three weeks ago, when I moved over to the @john9527 fork and stopped worrying about seeing every non-targeted attack).

But that makes no sense. The same attacks from the same source, know my new IP to attack? How do you equate that to random background noise? And the logs were indicating a source from within my LAN is sending out information to these IP's???

Edit: Apparently I can't use @john9527 Fork as I have an RT-AC86U ... something about that fork using the older code base.

 

[jsbeddow]

I did say that I couldn't see all the source and destination info from your screenshot, so maybe, IDK. Maybe you do have some malware or device that is communicating with suspicious IP addresses.
Either way, I have decided to simply trust that an up to date firmware, along with Skynet, and combined with common sense things like not exposing the SSH access and router interface to the WAN side, are enough for peace of mind. As I said before, I don't need to see that the router is able to defend against known attacks, that should simply be an automatic given.

 

[jsbeddow]

Yes, sorry, it is true that your 86U router is not supported on this @john9527 fork.
On the bright side, I do envy the speed you can achieve with this router acting as a VPN client, the one function that is somewhat slow on my 68P.

 

[jsbeddow]

By the way, if you are concerned with the data sharing issue with Trend Micro, I presume you have probably seen this thread, and in particular the posts by @dugaduga regarding blocking that sharing:
https://www.snbforums.com/threads/384-6-now-sharing-data-to-trend-micro.48202/page-3

 

[bengan65]

hello, can that affect on vpn client, have an problem is connect to an vpn provider but not see outside of my router tested from leakip.net says have my public ip adress from my ISP

 

[Elmer]

For me it's not a matter of trust, it's one of stability. When I activate any Trend Micro code I'm in the reboot every other day mode. With trend micro turned off I can go for weeks. I have DOT turned on using Cloudflare DNS and Skynet. When I was running Skynet and Trend Micro together, Trend Micro hits were far and few between. Now, turning off the Trend Micro code, also means losing adaptive QOS, although you can still use traditional QOS without acceleration. I turned off QOS as well (which turns acceleration back on), and I dump everything into a managed switch which handles QOS - at least on the wired network.

 

[Vexira]

For me it's not a matter of trust, it's one of stability. When I activate any Trend Micro code I'm in the reboot every other day mode. With trend micro turned off I can go for weeks. I have DOT turned on using Cloudflare DNS and Skynet. When I was running Skynet and Trend Micro together, Trend Micro hits were far and few between. Now, turning off the Trend Micro code, also means losing adaptive QOS, although you can still use traditional QOS without acceleration. I turned off QOS as well (which turns acceleration back on), and I dump everything into a managed switch which handles QOS - at least on the wired network.

What router are you using if you don't mind me asking?

Sounds like there is an issue with the unit to me.

 

[Elmer]

Oh no. It's nasty Asus/TrendMicro AIprotection code. I've struggled with this for years. Every time a major new firmware update is made, I'll get the itch to turn QOS back on, and bam, crash, boom. To stop this I have to reboot every two days, and that's with an RX88. I was so frustrated by this problem that I upgraded from an AC88, and it was almost a once a day boot with Asus/TrendMicro enabled with that router. It's not the router. It's definitely some old never revisited AIprotection code. Symptoms are, memory starts off at about 50%, and then slowly climbs to almost 100% - with the TrendMicro code enabled, it crashes. Get the same behavior without TrendMicro, but it gracefully resets back to 50%. I used to blame add-ons, but trust me, I've experimented so many time with so many settings over years, that I can say it is definitely the AIprotection code. Not sure it was an issue with my older AC68, but I really wasn't attuned back then. Just look around the forums and you'll see people asking what the optimum amount of time for auto reboot is. It's not just me.