What is "asd" process?

[netware5]

Hi guys, I am wondering what is the "asd" process, which produces the following log in /jffs/asd.log:

1525496708[register_feature] chknvram registered
1525496708[register_feature] misc registered
1525496708[init] Load existing signature files.
1525496708[update_signature_in_feature] Update sig in feature(blockfile)
1525496708[update_signature_in_feature] Update sig in feature(chknvram)
1525496708[register_feature] blockfile registered
1525496708[register_feature] chknvram registered
1525496708[register_feature] misc registered
1525496708[init] Load existing signature files.
1525496708[update_signature_in_feature] Update sig in feature(blockfile)
1525496708[update_signature_in_feature] Update sig in feature(chknvram)
1525496708[register_feature] blockfile registered
1525496708[register_feature] chknvram registered
1525496708[register_feature] misc registered
1525496708[init] Load existing signature files.
1525496708[update_signature_in_feature] Update sig in feature(blockfile)
1525496708[update_signature_in_feature] Update sig in feature(chknvram)
1633280209[check_version_from_server] Check server at Sun Oct  3 19:56:49 2021
1633310480[check_version_from_server] Check server at Mon Oct  4 04:21:20 2021
1633310483[_download_and_verify_file] Download file (version) fail!
1633310510[check_version_from_server] Check server at Mon Oct  4 04:21:50 2021
1633310513[_download_and_verify_file] Download file (version) fail!
1633310540[check_version_from_server] Check server at Mon Oct  4 04:22:20 2021
1633310543[_download_and_verify_file] Download file (version) fail!
1633396880[check_version_from_server] Check server at Tue Oct  5 04:21:20 2021
1633396910[check_version_from_server] Check server at Tue Oct  5 04:21:50 2021
1633483280[check_version_from_server] Check server at Wed Oct  6 04:21:20 2021
1633483310[check_version_from_server] Check server at Wed Oct  6 04:21:50 2021
1633569680[check_version_from_server] Check server at Thu Oct  7 04:21:20 2021
1633569710[check_version_from_server] Check server at Thu Oct  7 04:21:50 2021
1633656080[check_version_from_server] Check server at Fri Oct  8 04:21:20 2021
1633656110[check_version_from_server] Check server at Fri Oct  8 04:21:50 2021
1633742480[check_version_from_server] Check server at Sat Oct  9 04:21:20 2021
1633742510[check_version_from_server] Check server at Sat Oct  9 04:21:50 2021
1633828880[check_version_from_server] Check server at Sun Oct 10 04:21:20 2021
1633828910[check_version_from_server] Check server at Sun Oct 10 04:21:50 2021
1633915280[check_version_from_server] Check server at Mon Oct 11 04:21:20 2021
1633915310[check_version_from_server] Check server at Mon Oct 11 04:21:50 2021
1634001680[check_version_from_server] Check server at Tue Oct 12 04:21:20 2021
1634001710[check_version_from_server] Check server at Tue Oct 12 04:21:50 2021

 

[ColinTaylor]

I believe it's the Trend Micro signature update process.

See post #5.

 

[netware5]

I believe it's the Trend Micro signature update process.

Thanks! But I do not use any of the Trend Micro stuff on my router. I refused to agree with proposed agreement ...

 

[RMerlin]

It's not related to Trend Micro. It's a separate security daemon from Asus, that handle security-related issues on the router itself. They provide a special set of signature files specific to Asuswrt-Merlin that automatically gets downloaded from them.

 

[ColinTaylor]

Thanks for the explanation @RMerlin.

 

[netware5]

It's not related to Trend Micro. It's a separate security daemon from Asus, that handle security-related issues on the router itself. They provide a special set of signature files specific to Asuswrt-Merlin that automatically gets downloaded from them.

Thanks @RMerlin ! I will not ask what exactly does the Asus' Security Daemon , because I have ultimate trust to you

 

[RMerlin]

Thanks @RMerlin ! I will not ask what exactly does the Asus' Security Daemon , because I have ultimate trust to you

And since it's related to security, it's not something I'd want to start discussing in details anyway. Suffice to say that there has been exchanges between Asus and me before I decided to enable it in my firmware.

 

[killeriq]

Hi, please i found out that im getting this result in asd.log , but no clue where / what should i remove
thanks


1525496707[register_feature] blockfile registered
1525496707[register_feature] chknvram registered
1525496707[register_feature] misc registered
1525496707[init] Create asd folder.
1525496707[are_all_sig_file_valid] Local version file is invalid!
1525496707[init] Remove all invalid files

 

[ColinTaylor]

Hi, please i found out that im getting this result in asd.log , but no clue where / what should i remove
thanks


1525496707[register_feature] blockfile registered
1525496707[register_feature] chknvram registered
1525496707[register_feature] misc registered
1525496707[init] Create asd folder.
1525496707[are_all_sig_file_valid] Local version file is invalid!
1525496707[init] Remove all invalid files

Those are normal messages at the beginning of the log file after the router has been reset.

 

[zitev]

And since it's related to security, it's not something I'd want to start discussing in details anyway. Suffice to say that there has been exchanges between Asus and me before I decided to enable it in my firmware.

Hi RMerlin, yesterday I updated to v386.9, since then this process is constantly spinning the hdd connected to the router. I don't need this unsolicited and unnecessary solution, I'm wondering how I can disable it permanently? I temporarily shot it down with a SIGSTOP, but a permanent solution would be nice... Thanks for help,

zitev

 

[BreakingDad]

And since it's related to security, it's not something I'd want to start discussing in details anyway. Suffice to say that there has been exchanges between Asus and me before I decided to enable it in my firmware.

Interesting, just wondering, with your knowledge of the internals, would you be able to hack an asus router remotely? If you turned rogue for example. Or are they so locked down so much now now it would be difficult/impossible?

 

[RMerlin]

I don't need this unsolicited and unnecessary solution, I'm wondering how I can disable it permanently?

You can't. If it were that simple, then malware authors would all be simply disabling it.

with your knowledge of the internals, would you be able to hack an asus router remotely?

If I knew of an existing remotely exploitable security issue, then I would have reported it to Asus by now, and they would have fixed it.

The last time that I recall reporting a security issue to them (which was reported to me by Cisco Talos), they had a patch for me within less than 48 hours.

 

[zitev]

You can't. If it were that simple, then malware authors would all be simply disabling it.


If I knew of an existing remotely exploitable security issue, then I would have reported it to Asus by now, and they would have fixed it.

The last time that I recall reporting a security issue to them (which was reported to me by Cisco Talos), they had a patch for me within less than 48 hours.

...In the meantime I already did it, i killed the process, because the lifespan of my hdd is very important to me. What exactly does this process do, what kind of vulnerability is such a primitive solution deployed against?

 

[RMerlin]

.In the meantime I already did it, i killed the process, because the lifespan of my hdd is very important to me.

It will get automatically restarted.

What exactly does this process do

It scans for known malwares on your router.

 

[zitev]

It will get automatically restarted.


It scans for known malwares on your router.

Yes, that's why I need a correct command syntax that I can start at the end of the boot process and stop this hdd-killer process. There is no malware on my router, there will be no malware, and if there is, it will be my problem, I don't need this "careful" solution, which causes more damage than it might solve.

 

[RMerlin]

nd if there is, it will be my problem

That`s the thing. Modern malwares are everyone`s problem, because an infected router becomes part of a botnet that will participate in multi-terabits DDoS attacks which affect everyone else.

 

[zitev]

That`s the thing. Modern malwares are everyone`s problem, because an infected router becomes part of a botnet that will participate in multi-terabits DDoS attacks which affect everyone else.

if the router has a security flaw that causes it to get a malware infection, the solution is not amateur patching, which drastically reduces the lifespan of the hdd connected to it. This is not acceptable for any reason, otherwise it is an assumption, and the fact that a search script is constantly scrolling the hdd does not correspond to any security solution at any level.

 

[RMerlin]

if the router has a security flaw that causes it to get a malware infection, the solution is not amateur patching,

Running a malware scanner is not "amateur patching", it`s part of any good multilayer security coverage. It's been common practice on computers since the 90s, and it's also being done on devices such as NAS. It's just good security measure to ensure you can catch anything that is newer than the software you are running, as you can push new signature files within a few hours of discovery, while pushing an OS or firmware update can take multiple weeks (assuming all your users do update, rollouts could potentially take months).

 

[zitev]

Running a malware scanner is not "amateur patching", it`s part of any good multilayer security coverage. It's been common practice on computers since the 90s, and it's also being done on devices such as NAS. It's just good security measure to ensure you can catch anything that is newer than the software you are running, as you can push new signature files within a few hours of discovery, while pushing an OS or firmware update can take multiple weeks (assuming all your users do update, rollouts could potentially take months).

ok i don't want to refer to that. I consider it an unfortunate solution that causes more harm than good. How can i turn this off permanently? Maybe can i prevent the find command from running with a workaround, a postboot script?

 

[AndreiV]

The .asd process is nothing new, this thread started over a year ago.

As Merlin explained it is an ASUS security process, for what should be obvious reasons there is no way he would ever discuss or detail how to stop it running .