History of the web

[Portalnet]

Hello, what's the capacity of the History tab? of how many maximum days can there be entries?
Are these history entries saved to RAM or somewhere on non-volatile memory?

 

[Yota]

Trend Micro's web history data is saved in jffs, which means it persists across reboots.

Traffic Monitor's data is saved to RAM by default, but the Asuswrt-Merlin firmware allows you to change it to another location.

 

[Portalnet]

So Web History is a Trend Micro application, not Asus? And at the same time it has a closed code, it cannot be modified or improved?

 

[Tech9]

So Web History is a Trend Micro application, not Asus?

It uses TrendMicro engine for unknown reason and is perhaps closed source.

 

[Yota]

So Web History is a Trend Micro application, not Asus? And at the same time it has a closed code, it cannot be modified or improved?

Bingo! You can see which ones are from Trend Micro on this page http://192.168.50.1/Advanced_Privacy.asp.

It's unclear to me how long they will log, since I don't rely on these closed source components to log my data, I personally use dnsmasq to log dns log requests.

But for Trend Micro's traffic analytics, I've heard they only hold 30MB of data.


But you can make a link to point the directory in JFFS that holds the data to a USB driver, or somewhere else, this requires a custom script, which is hard to do with Asuswrt, you need to use Asuswrt-Merlin.

 

[Yota]

It uses TrendMicro engine for unknown reason and is perhaps closed source.

Maybe because it's domain records are not DNS based, I tested it before and in my browser with DNS over HTTPS enabled, Trend Micro was still able to accurately identify the domains I was visiting, I guess they did via SNI.

 

[Tech9]

I don't know. It somehow works in FreshTomato without TrendMicro and with DNS interception + DoT.

 

[sean storm]

Trend Micro's web history data is saved in jffs, which means it persists across reboots.

Traffic Monitor's data is saved to RAM by default, but the Asuswrt-Merlin firmware allows you to change it to another location.

Do you know if this data is transferred to TrendMicro at all. Even when on VPN, they can see your web history

 

[Yota]

Do you know if this data is transferred to TrendMicro at all. Even when on VPN, they can see your web history

I haven't looked into it, but a year ago I looked into Trend Micro's Malicious Sites Blocking feature, which sends a request to Trend Micro servers every time you visit a URL.

The requests are encrypted with SSL, which I cannot decrypt, but there are quite a few requests per day.

When I tried to block the request URL and IP address sent to Trend Micro, Malicious Sites Blocking completely failed, it no longer blocked any sites, including known malicious sites.

In addition, Malicious Sites Blocking feature checks all websites that the router VPN client passes through.

Encrypted DNS at the client level doesn't help, they must be using SNI to determine the URL to visit.

What annoys me is that if there are signatures downloaded locally, i.e. a list of malicious websites, why do I have to contact Trend Micro's servers every time I visit a website? There's no reason to do this, it's entirely possible to run the function locally.

 

[Tech9]

What annoys me is that if there are signatures downloaded locally, i.e. a list of malicious websites, why do I have to contact Trend Micro's servers every time I visit a website?

No one can tell for sure what it does, but the local engine with signatures file perhaps does exactly what it says - it looks for specific signatures in your files and browsing history. When a match is found, the URL goes to TrendMicro for further analysis. As per EULA, they can collect files as well, not only URLs. Data collection daemon obviously collects data. Your data is used for their paid services development and improvement. Security is the product they sell.

There's no reason to do this, it's entirely possible to run the function locally.

There is no reason for TrendMicro to provide this service to you for free. They obviously want something from you.

 

[RMerlin]

They obviously want something from you.

Or money from Asus.

 

[Yota]

When a match is found, the URL goes to TrendMicro for further analysis.

In fact, every time a website is visited, relevant data is sent to Trend Micro, not just known malicious websites, I mean all.

But malicious content blocking doesn't work every time, while I was testing, I remember when a malicious site was first discovered, it would allow traffic through once (perhaps to get the full packet), and then only on the second visit will be blocked, but it will still contact Trend Micro's servers every time.

This domain and IP address are the Trend Micro server that I recorded. I added it to the filter list of the firewall.

rgom10-asus-en.url.trendmicro.com 104.94.237.177

There is no reason for TrendMicro to provide this service to you for free. They obviously want something from you.

Or money from Asus.

I don't like guessing because it's pointless. Only Trend Micro can explain what they did, and their EULA doesn't provide a direct answer, instead fueling speculation.

Of course, it might be possible to add a self-signed root certificate to decrypt the SSL traffic and figure out what data is being sent to Trend Micro, but I don't want to do that and it's easier for me to turn it off.