What's new

Trend Micro DPI engine on Asus router?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Wutikorn

Senior Member
I found that there is Trend Micro DPI engine in Asus Router. (https://www.asus.com/us/support/FAQ/1012070/) However, I wonder if the DPI engine is inside the router and use online cloud database or DPI engine is in Trend Micro Server(and the router do sth like VPN to the server) or it is just URL filter? If TM DPI engine inside the router, will it scan for malware in local file transfer? Wouldn't performing DPI affect speed on sending local file at Gigabit speed or link aggregation of two gigabit LAN?
 
It's part local, part-cloud based. Protocol and app identification for instance is local. Malicious website detection probably connects online to Trend Micro's WRS (Web Reputation Service).

The engine does not do file scanning, so it does not protect you against downloaded malicious files.

@vanic might know more than me there.
 
It's part local, part-cloud based. Protocol and app identification for instance is local. Malicious website detection probably connects online to Trend Micro's WRS (Web Reputation Service).

The engine does not do file scanning, so it does not protect you against downloaded malicious files.

@vanic might know more than me there.
How about the part that is DPI engine? Because I don't really care about TM's WRS. And if DPI engine is inside the router, wouldn't it scan local file transfer and files when downloading from internet?
 
That would require far more cpu power than the router has. The DPI engine only scans a few bytes at the start of a connection.

The engine itself is part of the firmware.

Sent from my Nexus 5X using Tapatalk
 
How about the part that is DPI engine? Because I don't really care about TM's WRS. And if DPI engine is inside the router, wouldn't it scan local file transfer and files when downloading from internet?

Hi Wutikorn,

1. DPI engine is in router.
2. WRS server is in Cloud Server, not only URL filter, it's URL content filter.
3. We just help to protect, not anti-virus, so we can't scan any malware in your pc or router or downloading file.
4. DPI engine won't effect performance in BRCM high-end models so far.

Thanks,
Vanic
 
My impressions the DPI engine are mixed. It does good job generally but it is very weak in identifying popular VoIP programs, it fails to detect Skype and Google Hangouts VoIP traffic, it classifies them as "General" resulting in low priority. Perhaps some weakness of the DPI engine itself or something in the applications themselves?
 
My impressions the DPI engine are mixed. It does good job generally but it is very weak in identifying popular VoIP programs, it fails to detect Skype and Google Hangouts VoIP traffic, it classifies them as "General" resulting in low priority. Perhaps some weakness of the DPI engine itself or something in the applications themselves?
Yes, as your mention, some apps use SSL encryption, so we can't identify well. We are still proceeding to make it better in 2016.
 
My impressions the DPI engine are mixed. It does good job generally but it is very weak in identifying popular VoIP programs, it fails to detect Skype and Google Hangouts VoIP traffic, it classifies them as "General" resulting in low priority. Perhaps some weakness of the DPI engine itself or something in the applications themselves?

As the world shifts to SSL/TLS, a lot of router-based applications will become difficult to implement unfortunately. Trade-off of having encryption from point to point unfortunately.
 
the problem with scanning applications like skype is because they use their own protocol and requires that the scanner has the layer 7 hash used by the application. Skype's protocol has been reversed engineered and if used on mikrotik you can manipulate the traffic and do all sorts of things.

infected website lists can be maintained in a cloud so it requires checking and like an antivirus unless you specify which you cant on a router from lack of CPU is that it will scan the important bit of a file and check with an existing signature (it could utilise the cloud that it sends the important bits to the cloud for analysis).

This is why i have scorned at broadcom on this forum for using the ARM A9 when the ARM A15 was a much better choice for handling the additional features that homes now want. I know ive made java apps work very smoothly on single core ARM A9 phones clocked down to 200Mhz but thats me and i code in a very very complex way that unless you can code in assembly and have the same instructions doing multiple things you wont really understand it. The other difficulty is that coding for ARM is different for different ARM platforms and broadcom has a lot of proprietary stuff which their engineers develop whom are much suited for doing their stuff like media acceleration (only on enterprise hardware). A lot of the technology that broadcom boasts in hardware is implemented at ISPs and enterprises or large scale deployment stuff and never really an option for consumer manufacturers. Media acceleration would mean routers could become a media server and not use CPU to encode as raw file access requires a lot of bandwidth and file access speed which isnt suitable for raw 4K files over wifi. Similarly hardware acceleration can also be used for virus scanning since they involve hashes and some math and is just compared to a list.
 
That would require far more cpu power than the router has. The DPI engine only scans a few bytes at the start of a connection.

The engine itself is part of the firmware.

Sent from my Nexus 5X using Tapatalk
Does it scan the beginning of each packet? Or just the beginning of a connection? And how effective is that? I'm comparing between Sitecom and Trend Micro in Asus. https://www.sitecom.com/en/sitecom-cloud-security/347. In the meantime, Asus does not charge yearly fee.
Hi Wutikorn,

1. DPI engine is in router.
2. WRS server is in Cloud Server, not only URL filter, it's URL content filter.
3. We just help to protect, not anti-virus, so we can't scan any malware in your pc or router or downloading file.
4. DPI engine won't effect performance in BRCM high-end models so far.

Thanks,
Vanic
Which company do you speak on behalf? If DPI engine in the router does not scan for malware, what else does it do? I was expecting DPI engine to work like DPI engine in http://la.trendmicro.com/media/wp/deep-security-whitepaper-en.pdf . May be I was expecting too much. What about Trend Micro Virtual Patching in the router, does it perform as the same as the one in Deep Security? (http://www.trendmicro.com/us/enterprise/challenges/cloud-virtualization/virtual-patching/) What does this UTM have (based on http://www.surfright.nl/en/hitmanpro/utm) that Asus does not have?
 
Last edited:
Hi there!

has anyone notice that enabling "trend micro virtual patch" forces the creation of the file "wrs_vp.txt" @ /jffs (wich is part of the flash memory) every minute. Maybe this could lead into a wear out of the flash chip.

Is it secure to enable this feature ?


Regards


admin@RT-AC68U:/jffs# ll
drwxr-xr-x 2 admin root 0 Aug 1 02:00 configs/
drwxr-xr-x 2 admin root 0 Dec 30 14:32 scripts/
drwxrwxrwx 2 admin root 0 Dec 30 14:11 signature/
-rw-rw-rw- 1 admin root 59132 Dec 31 15:30 syslog.log
-rw-r--r-- 1 admin root 319488 Dec 31 17:00 traffic.db
drwxr-xr-x 2 admin root 0 Aug 1 02:00 usericon/
-rw-rw-rw- 1 admin root 0 Dec 31 17:04 wrs_vp.txt
 
Hi there!

has anyone notice that enabling "trend micro virtual patch" forces the creation of the file "wrs_vp.txt" @ /jffs (wich is part of the flash memory) every minute. Maybe this could lead into a wear out of the flash chip.

Is it secure to enable this feature ?


Regards


admin@RT-AC68U:/jffs# ll
drwxr-xr-x 2 admin root 0 Aug 1 02:00 configs/
drwxr-xr-x 2 admin root 0 Dec 30 14:32 scripts/
drwxrwxrwx 2 admin root 0 Dec 30 14:11 signature/
-rw-rw-rw- 1 admin root 59132 Dec 31 15:30 syslog.log
-rw-r--r-- 1 admin root 319488 Dec 31 17:00 traffic.db
drwxr-xr-x 2 admin root 0 Aug 1 02:00 usericon/
-rw-rw-rw- 1 admin root 0 Dec 31 17:04 wrs_vp.txt
Hi,
It's secure and safe to enable. This file is to dump dpi engine information for mail.

Thanks,
Vanic
 
I did test sending eicar test file using skype to one of my PC under AiProtection. However, AiProtection did not stop eicar file from being downloaded to the PC. However, with Malicious site blocking turned off but Vulnerability Protection on, the PC could not download eicar file and the download would not even initiate.
 
A lot of the technology that broadcom boasts in hardware is implemented at ISPs and enterprises or large scale deployment stuff and never really an option for consumer manufacturers. Media acceleration would mean routers could become a media server and not use CPU to encode as raw file access requires a lot of bandwidth and file access speed which isnt suitable for raw 4K files over wifi. Similarly hardware acceleration can also be used for virus scanning since they involve hashes and some math and is just compared to a list.

Good point - and their VideoCore FIB isn't that large - would be useful for H.264 transcodes as an example - same with their AES crypto block that they use in their WiFI chips - very fast at AES-256-cbc (because of the WPA2 reqt)...

I'm not as hard on them for using Cortex-A9, except that it's getting long in tooth, and A53/A57 would be a better choice moving into 2016... A9 isn't perfect (1st gen OOO and SMP for ARM), and it has some memory performance issues compared to other ARMv7 custom cores (Swift, Krait, others), but it's 'good enough'.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top