Trend Micro AIProtection - disappointing alert message - VP victim

[martinr]

On my RT-AC68U, I enabled the AIProtection, specifically, the Vulnerability Protection and the Infected Device Protection and Blocking.

I was recently sent several AIProtection Alert emails with the following message:

Event number : 1
Alert type : VP victim
Device : Vaio Wireless 00:27:10:47:05:xx (xx inserted by me for this post)
URL/IP access : 192.168.10.51

Event number : 2
Alert type : VP victim
Device : Vaio Wireless 00:27:10:47:05:xx
URL/IP access : 192.168.10.51

Suggest action: Your client devices has been detected suspicious networking behavior and blocked connection with destination server to protect your sensitive information.
Based on our recommendation, you can
1. Remove app that access this site and don't visit this website to prevent any personal information leak.
2. Check your router security setting.
3. Update security patch for your client or new firmware for your router.
Please refer to attached log file for detail information. You also can link to trend micro website to download security trial software for your client device protection.

And the contents of the attached log file read:

2015-03-12 14:05:51 00:27:10:47:05:xx is attacked by 192.168.10.51 via TCP 443, this action has been blocked.


It appears I'm not the first to have had this kind of message, where it seems that my laptop attacked its own wireless adapter. But what is disappointing is:

1. It doesn't say what "VP victim" means.
2. Truly, the standard of the English in scam emails I get from Nigeria is of far better quality than the English in this message.
3. It tells me nothing about which "app" caused the problem but tells me to remove the "app" and not to re-visit the website.
4. It also tells me to "Check your router security setting." Unfortunately, it doesn't bother to tell me which setting it has in mind or what I should check it for.


Having tried unsuccessfully to send feedback to ASUS concerning its AC68U user manual, I have, instead contacted Trend Micro to state my disappointment over the poor quality of its alert.

It's only the fact that RMerlin runs some of the AIProtection modules on his own router that stops me turning AIProtection off. In the meantime, I hope to find out what caused the alert to be sent, and, if Trend get back to me, I'll re-post.

 

[dscline]

I get 10+ of these per week. It is pretty useless.

 

[martinr]

I get 10+ of these per week. It is pretty useless.

Thanks. Then I won't bother wasting time trying to find out what triggered the sequence of messages. Reassuring to know I'm not alone, but not very reassuring in other respects.

Thanks.

 

[RMerlin]

I don't use the Infected Device detection. I only use the Vulnerability Protection feature.

 

[martinr]

I don't use the Infected Device detection. I only use the Vulnerability Protection feature.

Thanks, Merlin. I now know what to do!

 

[jerry6]

On my RT-AC68U, I enabled the AIProtection, specifically, the Vulnerability Protection and the Infected Device Protection and Blocking.

I was recently sent several AIProtection Alert emails with the following message:

Event number : 1
Alert type : VP victim
Device : Vaio Wireless 00:27:10:47:05:xx (xx inserted by me for this post)
URL/IP access : 192.168.10.51

Event number : 2
Alert type : VP victim
Device : Vaio Wireless 00:27:10:47:05:xx
URL/IP access : 192.168.10.51

Suggest action: Your client devices has been detected suspicious networking behavior and blocked connection with destination server to protect your sensitive information.
Based on our recommendation, you can
1. Remove app that access this site and don't visit this website to prevent any personal information leak.
2. Check your router security setting.
3. Update security patch for your client or new firmware for your router.
Please refer to attached log file for detail information. You also can link to trend micro website to download security trial software for your client device protection.

And the contents of the attached log file read:

2015-03-12 14:05:51 00:27:10:47:05:xx is attacked by 192.168.10.51 via TCP 443, this action has been blocked.


It appears I'm not the first to have had this kind of message, where it seems that my laptop attacked its own wireless adapter. But what is disappointing is:

1. It doesn't say what "VP victim" means.
2. Truly, the standard of the English in scam emails I get from Nigeria is of far better quality than the English in this message.
3. It tells me nothing about which "app" caused the problem but tells me to remove the "app" and not to re-visit the website.
4. It also tells me to "Check your router security setting." Unfortunately, it doesn't bother to tell me which setting it has in mind or what I should check it for.


Having tried unsuccessfully to send feedback to ASUS concerning its AC68U user manual, I have, instead contacted Trend Micro to state my disappointment over the poor quality of its alert.

It's only the fact that RMerlin runs some of the AIProtection modules on his own router that stops me turning AIProtection off. In the meantime, I hope to find out what caused the alert to be sent, and, if Trend get back to me, I'll re-post.

Can you tell them to give us a choice on alerts other than using google mail , I would like to try the protection features but don't use google mail

 

[neil0311]

Can you tell them to give us a choice on alerts other than using google mail , I would like to try the protection features but don't use google mail

Ditto. I'm amazed that any tech manufacturer assumes that you use one specific provider for email and only supports that hardcoded provider.

 

[martinr]

Can you tell them to give us a choice on alerts other than using google mail , I would like to try the protection features but don't use google mail

I have already had a reply from Joana at Trend Micro Consumer Support. Not bad given it's the weekend. As luck would have it, the text file I sent wouldn't open, so I sent a link to this forum topic instead. All being well, they'll not only read my initial comments but also all your follow-up ones, too.

And if there's anything of interest to report, I will let you know. Thanks for the comments.

Martin

 

[RMerlin]

Ditto. I'm amazed that any tech manufacturer assumes that you use one specific provider for email and only supports that hardcoded provider.

It's just the SMTP server. You should be able, in theory, to create (if you don't already have one) a dummy GMail account, and only use it for authentication, having the actual Email sent to your regular Email address.

 

[neil0311]

It's just the SMTP server. You should be able, in theory, to create (if you don't already have one) a dummy GMail account, and only use it for authentication, having the actual Email sent to your regular Email address.

Well sure, but why do they hard code a relay through Google, which as you mention requires authN since they don't allow open relay. In this day and age, you should be able to use any ISP or SMTP host you want.

 

[martinr]

A reply from Trend Micro:

This is Miguel Carlo from Trend Micro Consumer Support.

Allow me to set your expectation that you are pertaining to the product of ASUS which is called AiProtection.And to set your expectation that this program is supported by ASUS Team. Also, we do not have enough tools to support you with concern. Please send a feedback or email on this link provided:

http://www.asus.com/support/FAQ/1010436/

It possibly helps explain the poor standard of English in the AIProtection alert emails but does nothing to address the question of why the alert email contains no information of any use.

I shall reply and ask that the query be passed to whoever is responsible for AIProtction; that shouldn't be too difficult. (But I think what he's saying is: bugger off and speak to ASUS.)

 

[jerry6]

It's just the SMTP server. You should be able, in theory, to create (if you don't already have one) a dummy GMail account, and only use it for authentication, having the actual Email sent to your regular Email address.

Sure , but I refuse to use google , so the feature is of no use to me .

 

[martinr]

I followed Trend Micro's advice and directed my comments to ASUS (pointing them to this topic) and have had a response from the ASUS UK Support Team:

"Thank you for contacting ASUS and providing your feedback, much appreciated. These specific e-mails are generated by our HQ Wireless department, which cause that the english language is not always implemented correctly.

Please be advised that I will forward your feedback to our HQ Wireless department to see if the relevant department can improve the e-mails that are generated. Thank you for sharing your feedback and we are sorry for the inconvenience caused.

If you have any further questions, please do not hesitate to contact us."

It's been a slighty depressing insight into the support of the 2 organisations. Nevertheless, let's hope some good comes of it.

 

[martinr]

Encouraging update:

I've been contacted by Vanic, "ASUS SW RD vanic, responsible for AiProtection related functions (TrendMicro)" . He's noted the comments in this topic and is very keen to improve AIProtection and the associted FAQs. He's also noted the deficiencies, even though some are outside his area of responsibility. I've offered to help in any way with reviewing the English and the content of the FAQs, and he's going to get back to me in a week or so.

As to the comments regarding the Gmail alert system: "About alert email "gmail", in my design, I allow all SMTP server to send mail, not limited in gmail. Unfortunately, there is no future work on this."

Nice to have such a hopeful response.

EDIT : True to their word, Asus did indeed send me a page during their partial revision of the FAQs for AiProtection for proof reading/editing and plan to do so again in the future. (May 2015)

 

[Cake]

I would like to know why Trend Micro interrupts my vpn connection, goes to look for a update every Tuesday even when I never accepted the eula or use anything related to trend micro. I liked the deep packet inspection when I was testing the features before reflashing. I found some devices on my network with constant connections (mostly android devices) that I was happy to be made aware of.

I am waiting for someone good with scripts to make a script that drops packets anything Trend Micro, or to see if RMerlins next release changes its current behavior, otherwise I think I am going to a firmware pre-trend micro or John's. I am very surprised no one else takes issue with their router sending web sites you visit to a company. (as the way I understand it works) Correct me if I am wrong.

 

[Authority]

Well sure, but why do they hard code a relay through Google, which as you mention requires authN since they don't allow open relay. In this day and age, you should be able to use any ISP or SMTP host you want.

Make sense to me, it's easy and fairly universal.

Sure , but I refuse to use google , so the feature is of no use to me .

Why not an account for JUST error messages?

 

[cowboy]

Encouraging update:

I've been contacted by Vanic, "ASUS SW RD vanic, responsible for AiProtection related functions (TrendMicro)" . He's noted the comments in this topic and is very keen to improve AIProtection and the associted FAQs. He's also noted the deficiencies, even though some are outside his area of responsibility. I've offered to help in any way with reviewing the English and the content of the FAQs, and he's going to get back to me in a week or so.

As to the comments regarding the Gmail alert system: "About alert email "gmail", in my design, I allow all SMTP server to send mail, not limited in gmail. Unfortunately, there is no future work on this."

Nice to have such a hopeful response.

EDIT : True to their word, Asus did indeed send me a page during their partial revision of the FAQs for AiProtection for proof reading/editing and plan to do so again in the future. (May 2015)

Which Asus email did you use to send them concerns/feedback ?

 

[martinr]

Which Asus email did you use to send them concerns/feedback ?

I can't remember, but I do have the email address of Vanic Huang, who kindly replied to me. If you send me a personal message, I will pass it to you.

 

[kmedeiros]

Just got an AC68U and tried to set up alerting to a dummy Gmail address, but I get this email from Gmail once I do.


Hi Kevin,
Someone just tried to sign in to your Google Account blah@gmail.com from an app that doesn't meet modern security standards.
Details:
Tuesday, May 31, 2016 10:54 AM (Pacific Daylight Time)
We strongly recommend that you use a secure app, like Gmail, to access your account. All apps made by Google meet these security standards. Using a less secure app, on the other hand, could leave your account vulnerable.

Sooo.....that's not going to work, is it? lol

 

[L&LD]

Just got an AC68U and tried to set up alerting to a dummy Gmail address, but I get this email from Gmail once I do.


Hi Kevin,
Someone just tried to sign in to your Google Account blah@gmail.com from an app that doesn't meet modern security standards.
Details:
Tuesday, May 31, 2016 10:54 AM (Pacific Daylight Time)
We strongly recommend that you use a secure app, like Gmail, to access your account. All apps made by Google meet these security standards. Using a less secure app, on the other hand, could leave your account vulnerable.

Sooo.....that's not going to work, is it? lol

Please search. This is a well known issue with gmail.