Malicious Site Blocking, Vulnerability Protection, etc.

[Authority]

Anyone have any thoughts on how these Asus / Trend Micro features work, how WELL they work, and how they impact privacy and/or performance?

My assumption was theses features were all DNS. However it does seem to work with OpenDNS, so maybe it just does extra lookups? That sounds like a privacy issue.

I use OpenDNS, and I don't think these Asus / Trend Micro features add much if any value for me. Am I wrong?

 

[RMerlin]

Trend Micro is generally considered as having one of the best malicious site blocking service. That WRS service is the same that powers their business solution such as Worry-Free Business.

I'd expect TM to react far more quickly than OpenDNS in adding new malicious sites to their database.

Security software NEEDS to rely on the cloud these days to be effective. Old signature-based method is increasingly ineffective, as new threats appear more quickly than ever before. That's the route being taken by all of them these past few years. Some of them (like Eset) will make it optional, but you greatly reduce their efficiency by not leveraging the cloud.

 

[Authority]

I'd expect TM to react far more quickly than OpenDNS in adding new malicious sites to their database.

That surprises me, I'd expect OpenDNs to be faster to update and more comprehensive, especially since being acquired by Cisco.

Interestingly, having both Trend Micro turned on AND OpendDNS I went to a malware test page. Of half a dozen test links all but one were blocked by OpenDNS, only one by Trend. When I turned Trend OFF then OpemDNS blocked it too (which I didn't understand).

 

[RMerlin]

That surprises me, I'd expect OpenDNs to be faster to update and more comprehensive, especially since being acquired by Cisco.

I was expecting TM to have a faster response time because this is their core business, and a lot of their commercial business products rely on this service. They probably get more feedback about new sites than OpenDNS does, and probably have a far larger security team as well.

Remember that Cisco's core is networking, not security (tho I suspect OpenDNS still mostly runs separately, they are just owned, not run by Cisco)

Interestingly, having both Trend Micro turned on AND OpendDNS I went to a malware test page. Of half a dozen test links all but one were blocked by OpenDNS, only one by Trend. When I turned Trend OFF then OpemDNS blocked it too (which I didn't understand).

That's odd. Try looking them up directly on their server:

http://global.sitesafety.trendmicro.com/

Maybe it's something in Asus's implementation that's not fully leveraging the capabilities of TM's WRS backend.

Also, I'm not sure how indicative of its efficiency a malware test site would be, as WRS blocks known malicious sites, rather than actual malicious files. I've seen reports from security specialists who tested Asus's implementation against known malware sites, and they reported a very high block rate.

 

[Authority]

Also, I'm not sure how indicative of its efficiency a malware test site would be, as WRS blocks known malicious sites, rather than actual malicious files. I've seen reports from security specialists who tested Asus's implementation against known malware sites, and they reported a very high block rate.

I guess it kind of makes sense. Here's the test site:

http://www.wicar.org/test-malware.html

With Trend WRS turned on and OpenDNS, Trend blocks ONLY the first link, OpenDNS blocks everything else. When I turn Trend WRS off, OpenDNS blocks everything, including the first link that was blocked by Trend. So it looks like Trend lookups are before DNS?

It seems to me OpenDNS is either more current or it just blocks a wider variety of stuff, either way OpenDNS is a win.

 

[fax]

My experience on 0day malicious sites is that TM is blocking far more sites than OpenDNS. Your test site is not really a good reference to test TM effectiveness as TM simply do not recognise wicar.org as a malware spreading site. You have to try with real ones such the malc0de database or malware domain lists.

In any case, at the end of the day is not about actual protection but how you feel protected with what you use. In your case peace of mind is with OpenDNS

 

[Wutikorn]

I've seen reports from security specialists who tested Asus's implementation against known malware sites, and they reported a very high block rate.

Which reports did you see? I would like to see that too.

I guess it kind of makes sense. Here's the test site:

http://www.wicar.org/test-malware.html

With Trend WRS turned on and OpenDNS, Trend blocks ONLY the first link, OpenDNS blocks everything else. When I turn Trend WRS off, OpenDNS blocks everything, including the first link that was blocked by Trend. So it looks like Trend lookups are before DNS?

It seems to me OpenDNS is either more current or it just blocks a wider variety of stuff, either way OpenDNS is a win.

What I realized is that if you turn off both Trend Micro and OpenDNS site blocking and leave only Trend Micro Vulnerability Protection, you won't be able to download any sample malware from that site. But if you turn off Vulnerability Protection as well, then you will be able to download it. So Vulnerability Protection part can also play an important role.

 

[LoneWolf]

Anyone have any thoughts on how these Asus / Trend Micro features work, how WELL they work, and how they impact privacy and/or performance?

My assumption was theses features were all DNS. However it does seem to work with OpenDNS, so maybe it just does extra lookups? That sounds like a privacy issue.

I use OpenDNS, and I don't think these Asus / Trend Micro features add much if any value for me. Am I wrong?

I would say this is incorrect. However, I'll put it in a middle ground way.

On one end, you have an enthusiast router. Just a router. Let's use the RT-AC66U as an example. It's a reasonable router, it has nice wireless. But no protection.

On the other end, you have UTM devices from companies like Watchguard, Sophos, Sonicwall, and Fortinet (to name a few). These add (depending on the subscriptions you purchase) gateway antivirus, intrusion prevention, website blocking, advanced threat protection, and spam blocking (via either SMTP or sometimes POP3). These are intended for small to medium business. They can be very effective, especially if configured properly.

The new ASUS units occupy a middle ground. It's got a website blocking feature. It's got a basic form of gateway antivirus, and it's got a basic form of intrusion prevention. Having used Trend Micro OfficeScan and Worry-Free Business myself, I'll say from an A to an E in antivirus, it's middle ground in my opinion. But all of these features are made easy compared to a UTM device; geeks can configure them, but the average user isn't going to get it. And most enthusiast routers don't have any of this yet; this is a great thing for a user who wants set-it-and-forget it protection.

The ASUS units don't use DNS for this, other than that they use DNS lookups for some of it, like OpenDNS does. What they use along with it is a database compiled by Trend Micro that matches the websites up with a list of malicious ones and blocks them. In addition, it uses a database of signatures that identifies viruses to work to prevent them. These databases aren't a clone of OpenDNS, and as such, using this unit with OpenDNS is a combined defense.

P.S. Sophos makes their UTM free for home use; you just need a NUC-style dual-NIC system to run it. That probably is the best of both worlds. It will be a decent router with good security, but it won't have wireless. You'll need the geek cred to set it up though.

 

[Wutikorn]

I would say this is incorrect. However, I'll put it in a middle ground way.

The new ASUS units occupy a middle ground. It's got a website blocking feature. It's got a basic form of gateway antivirus, and it's got a basic form of intrusion prevention. Having used Trend Micro OfficeScan and Worry-Free Business myself, I'll say from an A to an E in antivirus, it's middle ground in my opinion. But all of these features are made easy compared to a UTM device; geeks can configure them, but the average user isn't going to get it. And most enthusiast routers don't have any of this yet; this is a great thing for a user who wants set-it-and-forget it protection.

The ASUS units don't use DNS for this, other than that they use DNS lookups for some of it, like OpenDNS does. What they use along with it is a database compiled by Trend Micro that matches the websites up with a list of malicious ones and blocks them. In addition, it uses a database of signatures that identifies viruses to work to prevent them. These databases aren't a clone of OpenDNS, and as such, using this unit with OpenDNS is a combined defense.

I agree; it's a middle ground and does not work like DNS. Not only that it can block malicious website, but it can also report the websites to admin. So far that I have read, I found nothing yet to show me that the router really work as antivirus or has intrusion prevention. But as I mentioned above, vulnerability protection at least block me from downloading Eicar virus test file(with all other protection off including malicious website protection) which might be blocking download from malicious IP. However, I tried sending Eicar test file through Skype and the router with AiProtection did not block the transfer(which I think is normal for basic intrusion detection). When I can, I will try transferring the same file through something that does not have secure connection and see if the router catches it.

 

[LoneWolf]

I agree; it's a middle ground and does not work like DNS. Not only that it can block malicious website, but it can also report the websites to admin. So far that I have read, I found nothing yet to show me that the router really work as antivirus or has intrusion prevention. But as I mentioned above, vulnerability protection at least block me from downloading Eicar virus test file(with all other protection off including malicious website protection) which might be blocking download from malicious IP. However, I tried sending Eicar test file through Skype and the router with AiProtection did not block the transfer(which I think is normal for basic intrusion detection). When I can, I will try transferring the same file through something that does not have secure connection and see if the router catches it.

No gateway AV function is perfect. But ASUS wouldn't bother with the Trend Micro logo if they weren't working with them, and the code likely wouldn't be closed-source either.

Chances are likely that the gateway AV works (it often does in many firewalls and UTM devices that have it in using the signature database to compare the md5 hash of a file the user attempts to download to known file signatures; it blocks anything that matches the signature database.

Now here's a feature that UTM boxes do that the ASUS does not (or at least does not advertise) - they usually scan within .ZIP files as well. This prevents someone from encapsulating malware inside a zip, or inside of a zip that's in another zip (both for browsing, and for mail coming in through SMTP as an attachment). My firewall has a default of scanning three levels deep into ZIP files, though that is adjustable. Also, UTM boxes have options for deep-packet inspection of HTTPS traffic, though this requires adding a security certificate to the firewall and then making it a trusted certificate on all boxes behind the firewall as well. So as I said, the ASUS box is a much better solution than OpenDNS alone; but compared to the solution below from Sophos, it doesn't measure up.

https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

 

[Wutikorn]

No gateway AV function is perfect. But ASUS wouldn't bother with the Trend Micro logo if they weren't working with them, and the code likely wouldn't be closed-source either.

Chances are likely that the gateway AV works (it often does in many firewalls and UTM devices that have it in using the signature database to compare the md5 hash of a file the user attempts to download to known file signatures; it blocks anything that matches the signature database.

Now here's a feature that UTM boxes do that the ASUS does not (or at least does not advertise) - they usually scan within .ZIP files as well. This prevents someone from encapsulating malware inside a zip, or inside of a zip that's in another zip (both for browsing, and for mail coming in through SMTP as an attachment). My firewall has a default of scanning three levels deep into ZIP files, though that is adjustable. Also, UTM boxes have options for deep-packet inspection of HTTPS traffic, though this requires adding a security certificate to the firewall and then making it a trusted certificate on all boxes behind the firewall as well. So as I said, the ASUS box is a much better solution than OpenDNS alone; but compared to the solution below from Sophos, it doesn't measure up.

https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

So the free Sophos Home Edition scans .ZIP and HTTPS traffic as well, right? That would make it more interesting to set up as, if I remember correctly, free pfsense doesn't scan HTTPS traffic. Also, are you saying that Asus AiProtection does scan normal traffic that is not SSL or TLS for malware?

 

[rogern]

Cisco own also snort and they who knows about snort knows it is a security solution company
Anyway i have them both enabled (rt-3200) but use snort ids/ips solution along with e2guardian/squid/privoxy.