Menu
What's new
By:
Filters Better Search

What is "asd" process?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
Interesting reads. I wonder if this has connection to iOS’
Code: 
/usr/libexec/asd
Not knowing Linux (learning) it described on Linux FHS guide

I have a few diskwrite log for this /usr path on iOS 16.2
 
brendanp said:
He said that back in 2021 ... so asd has been in the Merlin product for years ... (in fact, asd shows in my "top" command presently) ... but the scanning of a mounded drive non-stop is something that only started in the latest 386.9 release.
Click to expand...
I wonder what's up with the latest asus firmware? does the scanner also run on it?
 
Update: 12 hours post roll-back, and my HDD is idle as expected...for me: rolling back to Merlin 386.7_2 is the "fix" for now.
 
brendanp said:
Update: 12 hours post roll-back, and my HDD is idle as expected...for me: rolling back to Merlin 386.7_2 is the "fix" for now.
Click to expand...

...and the other working solution is the one I also wrote: suspending the running process. This obviously has to be done again after every reboot, but it seems manageable for now.
 
ColinTaylor said:
It is an Asus issue. Merlin is using a more recent source code. asd is a closed source blob from Asus. Only they can fix it.
Click to expand...
"ASUS customer support, how can I help you?"
"Yes, my router is scanning my HDD non-stop since a firmware upgrade..."
"What version are you running sir?"
"Merlin 386.9"
" 'Merlin'? So you're not running stock ASUS firmware?"
"Well, no, but ..."
<click>
 
brendanp said:
"ASUS customer support, how can I help you?"
"Yes, my router is scanning my HDD non-stop since a firmware upgrade..."
"What version are you running sir?"
"Merlin 386.9"
" 'Merlin'? So you're not running stock ASUS firmware?"
"Well, no, but ..."
<click>
Click to expand...
So what's your point?
 
brendanp said:
My point is: Reporting abnormal behavior of a non-ASUS firmware (e.g. Merlin) to ASUS is a non-starter.
Click to expand...
True. And complaining about something in the Merlin forum that is outside the developer's control is equally pointless. So the people that this is a problem for can choose to stay on the previous release until Asus fixes it. In the meantime people running stock firmware (now or in the future) that experience this problem can report it to Asus.
 
ColinTaylor said:
True. And complaining about something in the Merlin forum that is outside the developer's control is equally pointless. So the people that this is a problem for can choose to stay on the previous release until Asus fixes it. In the meantime people running stock firmware (now or in the future) that experience this problem can report it to Asus.
Click to expand...
the only question is which is the bigger security problem, an older firmware, possibly containing sechole, or a new firmware, which must block running processes in order to avoid malfunctions...
 
ColinTaylor said:
True. And complaining about something in the Merlin forum that is outside the developer's control is equally pointless. So the people that this is a problem for can choose to stay on the previous release until Asus fixes it. In the meantime people running stock firmware (now or in the future) that experience this problem can report it to Asus.
Click to expand...
I disagree. "Complaining" about this problem has yielded not 1 but 2 good work-arounds. (And possibly more will follow).

Users who experience the same issue can find this thread via Google (as I did) and quickly confirm, "Yes, that's what's happening to me ... " and have solutions provided.
 
zitev said:
the only question is which is the bigger security problem, an older firmware, possibly containing sechole, or a new firmware, which must block running processes in order to avoid malfunctions...
Click to expand...
To be honest: The only reason I upgraded was to get rid of the blinky-"!" saying there was a new version available. I didn't have a particular security hole I was trying to patch or anything. So Rolling back is my personal preferred solution. It's easier, only needs to be done once, and survives a power-outage ... so for my use-case, that works. If you have benefits from the latest release that you need; then I think you're solution is great ... maybe somebody with more knowledge than me could even figure out how to script it at boot. Is the INIT process consuming CPU now trying to restart the /usr/bin/find process? Or is it still "running" but "suspended" with your solution?
 
There is a bigger problem with asd then just hammering attached drives with scans. asd is actually destructive. I mounted an nfs share that contained some fortunately now unused nfsroot filesystems. asd scanned them and deleted all files of the form crt*. This makes asd seem like a rather blunt instrument. All these files on the mount were either i686 or x86_64 binaries, which could not have been used to link executables that would run on the router. Sure, these files could be used to link malware on other machines, but how hard would it be to store these C runtime files using a different name. I would never have known about this if I hadn't tried to unmount the share and had the request denied because asd had open files on it. If I remember correctly, asuswrt by default will mount a usb drive when it is plugged in. So if someone plugged in a drive containing a linux system, asd would damage it, possibly without anyone knowing until much later. Based on this as far as I am concerned, even though asd is supposed to be antimalware software, it is malware. Fortunately SIGSTOP works for me with 386.9 on an RT-AC68U. I did not lose anything important, but my trust in Asus has been shaken. What else is this binary blob looking for? Asuswrt-Merlin may want to reevaluate their position on asd.
 
dabbleduck said:
There is a bigger problem with asd then just hammering attached drives with scans. asd is actually destructive. I mounted an nfs share that contained some fortunately now unused nfsroot filesystems. asd scanned them and deleted all files of the form crt*.
Click to expand...
Yikes! No quarantine or logs to tell you what files were impacted / deleted? asd simply goes in and deletes files it doesn't like? That is the exact definition of malware!
 
There was a log in /jffs/asd.log as the following excerpt shows.
Code: 
...
1674212880[remove_file_in_dir]Delete harmful file,/tmp/mnt/irrigation-32/usr/lib/crtn.o
1674212880[blockfile] /tmp/mnt/irrigation-32/usr/lib/crtn.o is binary.
1674212880[remove_file_in_dir]Delete harmful file,/tmp/mnt/irrigation-32/usr/lib/crti.o
1674212880[blockfile] /tmp/mnt/irrigation-32/usr/lib/crti.o is binary.
1674212880[remove_file_in_dir]Delete harmful file,/tmp/mnt/irrigation-32/usr/lib/crt1.o
1674212880[blockfile] /tmp/mnt/irrigation-32/usr/lib/crt1.o is binary.
...

But I did not even know the asd process existed until this happened, and how many people expect a reasonably well protected router to just start deleting files from a mount? If the files were quarantined, there is nothing in the log to indicate that.
 
dabbleduck said:
There is a bigger problem with asd then just hammering attached drives with scans. asd is actually destructive. I mounted an nfs share that contained some fortunately now unused nfsroot filesystems. asd scanned them and deleted all files of the form crt*. This makes asd seem like a rather blunt instrument. All these files on the mount were either i686 or x86_64 binaries, which could not have been used to link executables that would run on the router. Sure, these files could be used to link malware on other machines, but how hard would it be to store these C runtime files using a different name. I would never have known about this if I hadn't tried to unmount the share and had the request denied because asd had open files on it. If I remember correctly, asuswrt by default will mount a usb drive when it is plugged in. So if someone plugged in a drive containing a linux system, asd would damage it, possibly without anyone knowing until much later. Based on this as far as I am concerned, even though asd is supposed to be antimalware software, it is malware. Fortunately SIGSTOP works for me with 386.9 on an RT-AC68U. I did not lose anything important, but my trust in Asus has been shaken. What else is this binary blob looking for? Asuswrt-Merlin may want to reevaluate their position on asd.
Click to expand...
And unfortunately I do confirm this. Everything matching the following patterns have been removed from NAS mounted to /tmp/mnt/

Code: 
/usr/bin/find /tmp -iname .config_read*
/usr/bin/find /tmp -iname cpd*
/usr/bin/find /tmp -iname crrt*
/usr/bin/find /tmp -iname crt*

There are also other scans on /tmp and /jffs/

Code: 
/usr/bin/find /jffs/tmp -iname directory
/usr/bin/find /jffs/configs -iname ssl
/usr/bin/find /tmp/logs -iname WGUpgrade-dl
/usr/bin/find /tmp/ppp -iname S51armled
/usr/bin/find /tmp/var -iname link

You can find detailed info on what was removed in /jffs/asd.log, e.g.:

Code: 
1674250019[remove_file_in_dir]Delete harmful file,/tmp/mnt/nas_backup/lib/crt_important-file.o
1674250081[remove_file_in_dir]Delete harmful file,/tmp/mnt/nas_backup/lib/crrt_important-file.o

Keep you software up to date, to keep your network and data safe, they say...
 
Last edited:
dabbleduck said:
There was a log in /jffs/asd.log as the following excerpt shows.
Code: 
...
1674212880[remove_file_in_dir]Delete harmful file,/tmp/mnt/irrigation-32/usr/lib/crtn.o
1674212880[blockfile] /tmp/mnt/irrigation-32/usr/lib/crtn.o is binary.
1674212880[remove_file_in_dir]Delete harmful file,/tmp/mnt/irrigation-32/usr/lib/crti.o
1674212880[blockfile] /tmp/mnt/irrigation-32/usr/lib/crti.o is binary.
1674212880[remove_file_in_dir]Delete harmful file,/tmp/mnt/irrigation-32/usr/lib/crt1.o
1674212880[blockfile] /tmp/mnt/irrigation-32/usr/lib/crt1.o is binary.
...

But I did not even know the asd process existed until this happened, and how many people expect a reasonably well protected router to just start deleting files from a mount? If the files were quarantined, there is nothing in the log to indicate that.
Click to expand...
this is such a primitive solution that it is outrageous...
 
Status
Not open for further replies.

Similar threads

Sky
Solved ASUS RT-AC87 System log missing days (Synology issue?)
Replies
1
Views
1K
Sky
Sky
RMerlin
  • Locked
Beta Asuswrt-Merlin 386.2 Beta is now available
33 34 35
Replies
688
Views
183K
RMerlin
RMerlin
F
Cron job and DST is wrong
Replies
15
Views
2K
Frejoh4666
F
gogubeb
R7800 - strange issue when going back to Voxel/stock firmware
Replies
4
Views
4K
RogerSC
R
Z
Asus RT-AC5300 bricked. What to do?
Replies
15
Views
23K
COBOL-Coder
C

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 536 (members: 15, guests: 521)
Top