AI Protection Alerts Coming From LAN Client

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

YrbkMgr

Occasional Visitor
Last May I posted this thread AiProtection Alerts - Should I Be Concerned? Basically, I was told that since "The MAC address shown is outside your network , the sending device", not to worry about it as the protection was working.

Recently however, I've been getting alerts from a device on my LAN and even though it's being blocked, it's happening with such frequency, I want to see if I can eliminate the "cause".

IPS Two Way Protection: The source of the attack is 192.168.1.158 which is a Win 7 HP Pavilion on my LAN and the destination is the AC3200. There were over 60 attempts blocked at 2 second intervals on 10/16/2021 alone, and over 300 entries in total from that source:
AI Protection IPS Attacks 01_edit.JPG
AI Protection IPS Attacks 02_edit.JPG

Malicious Site Blocking is blocking Adware from my AC3200 to Heavy-r, some porn site:
AI Protection Malicious Site Blocking 01.JPG
AI Protection Malicious Site Blocking 02.JPG

How do I track down what is causing this on the source machine (192.168.1.158)? Any thoughts?
 

AndreiV

Very Senior Member
You have something malicious running on the HP laptop , try these to remove it.


RKill this kills malicious processes and allows your AV to work correctly.


ADW Cleaner removes adware and unwanted programs etc.


TrendMicro Housecall free Antivirus scan/clean that runs external to the infected device.
 

YrbkMgr

Occasional Visitor
Thank you for confirming my suspicions. I can't even spell DHCP, but I can always rely on credible expert advice here. I'll post back once I figure it out.

Thanks a million...
 

bbunge

Part of the Furniture
Windows 7? Time to upgrade! If not Windows 10 there are some great Linux distros out there.
 

Tech9

Part of the Furniture
If not Windows 10 there are some great Linux distros out there.

True, but if he uses specific Windows only software and hardware with mostly Windows drivers, like multi-functional printers, it may not work well. I would attempt Windows 10 upgrade, if not Windows 8.1 - it's still supported, until Jan 2023.
 

YrbkMgr

Occasional Visitor
Windows 7? Time to upgrade! If not Windows 10 there are some great Linux distros out there.
Thanks for making me chuckle - I knew someone would say something about it. I don't know much about networking technicalities, but clearly if I'm delving into router logs, somewhere along the way I'm sure to have heard of EOL on Win 7. Having it in service on my home LAN is a deliberate choice.

FWIW, that machine with it's puny Intel Core 2 Quad Q8300 @ 2.50GHz... runs Photoshop CS2, MS Office 2010 (you heard me right), and primarily acts as a client for my IP Camera software (Blue Iris). It's a "hand-me-down" which is why there were issues with malware.

All of that notwithstanding, yeah, I think about it being in the twilight years of it's life almost daily. So there's that.
 

Tech9

Part of the Furniture
Core 2 Quad Q8300 @ 2.50GHz

If you use Photoshop on this PC, it must have at least 4GB of RAM. Windows 10 may work well on it, maintaining backward compatibility with your software. I also have one older laptop used for camera monitoring, Core 2 Duo T9300 @2.5GHz with 6GB RAM and 120GB SSID. It works perfectly with Windows 10, quite snappy actually. Windows 10 was designed to work on mobile devices and it's a bit lighter on resources than Windows 7. Give it a try when you have the time.
 

YrbkMgr

Occasional Visitor
If you use Photoshop on this PC, it must have at least 4GB of RAM. Windows 10 may work well on it, maintaining backward compatibility with your software. I also have one older laptop used for camera monitoring, Core 2 Duo T9300 @2.5GHz with 6GB RAM and 120GB SSID. It works perfectly with Windows 10, quite snappy actually. Windows 10 was designed to work on mobile devices and it's a bit lighter on resources than Windows 7. Give it a try when you have the time.
So first, I appreciate the conversation - let me share though, some of my thoughts.

On Photoshop, I have 6 GB installed on that machine; I was a beta tester for Adobe during the transition from PS 7 to the CS suite, so I'm pretty steeped in it. I no longer use PS regularly, but when I need to use it... well, you get it. I ran PS on my Win 10 machine for a while, but there are a lot of interface issues and wonky behavior. Plus I gained no performance gain considering that PS is no longer a mission critical program for me as it used to be. After a clean install of Win 10 Pro on my main PC, I elected to refrain from installing all but the most necessary applications.

Moreover, I ask myself what problem I be solving by trying to migrate that machine to Win 10 - "peace of mind" from a security standpoint? Performance isn't an issue, and upgrading to an OS with a not to distant EOL... for money?... not in my future. Also Photoshop isn't a concern on that machine - the main use is to run a web browser so I can monitor my IP Cameras.

On the topic of malware on that machine, I followed the advice above and believe I have scrubbed that system well. I haven't seen an AI Protection alert since, but it's early and I'm still monitoring. So for the being, I think I'm good.

I appreciate everyone's contributions...
 

dosborne

Very Senior Member
MS Office 2010 (you heard me right)
I'm still on MS Office 2007 lol as it was the last one I have a legitimate license for. I rarely use it so no point in upgrading as I've never had an issue opening anything yet.
 

YrbkMgr

Occasional Visitor
Okay, I've heard that argument before. I ask you, with all humility, convince me that I'm at risk with a Win 7 client on my LAN under the following assumptions.

Let's assume that the Win 7 machine is currently free of exploits or malicious software. Let's also say that no "surfing" occurs on that machine - the only pages ever opened are trusted. That is to say, I have full control over that machine and it's main use is running installed apps. What I'm getting at here is this, let's assume that "best practices" are used in managing vulnerabilities such that there is an infinitesimally small risk of running into a site that can do any damage - we all know the risk is not zero on a home LAN.

Now, I have the AC3200 with it's firewall and AI Protection enabled. I have Windows firewall on all machines on the LAN. Microsoft Defender Antivirus is on all machines. As I see it, the risk of malicious exploits will come from the Windows 10 machines on the LAN - the ones in daily use. So where's my risk?

Ah, whaddabout IoT, you say... yep. But that risk is not limited to Win 7. Finally, consider that I'm an ole man with an ole lady - no kids anymore. IOW, a controlled environment.

To be clear.... I'm not saying that I'm right - I'm saying, as I've laid it out, convince me why I should get that Win 7 machine (HP Pavilion) off my LAN. I'm persuadable, but I've not heard a solid argument yet in a cost/risk/benefit sense. As far as I can tell, I get no more peace of mind if I remove that OS from the LAN.

What am I missing?
 

YrbkMgr

Occasional Visitor
Am I the only one who has trouble launching the Trend Micro site to get more information about a threat? It only launches a site in Chinese (Taiwan, if I'm not mistaken). See below..

Trend micro 03.JPG
 

Smokey613

Very Senior Member
I have a laptop and a workstation, both Dell running Windows 7 Pro. They are used to run specific legacy programs. I rarely use them to “surf the web” but do use the laptop sometimes if I need to access my router by a LAN connection for configuration purposes. 99% of my internet use is with an iPad Pro 12.9 or an iPhone 13. I see no reason to upgrade my computers. They are running anti-virus software that is kept updated.
 

Tech9

Part of the Furniture
What am I missing?

If this computer has Internet connection, an OS with no security updates support is a potential risk. If it works on your LAN only, isolated from other Internet connected devices, the risk is minimal. You have to find a way to hack yourself, basically. It all depends on the setup and use case.
 

dosborne

Very Senior Member
Only you can decide if the risk is real or not and worth it in your environment. I too have a few legacy devices that haven't been updated in a long time. A NAS that hasn't had an update in over 10 years, and a crazy old phone system for example. Keep in mind too that threats are not necessarily just from the outside. If you open a malware attachment (or 100 other scenarios) and a system gets even partially compromised *inside* your network then older, less secure systems could be exposed even if they don't "surf the web".

As already pointed out, the less exposure the less likely there will be a problem, but, there are many entry points.

Of course only you can decide for your specific case. You protect what is reasonable. There are legitimate and valid reasons to continue with legacy equipment. Just have a recovery plan for the worst case scenario. The good news is that often for legacy equipment (at least in my case) it is easy to have a spare hard drive mirrored and sitting on a shelf for disaster recovery or attack.

Some legacy parts are irreplaceable. Although I actually haven't looked, I suspect finding a replacement for my 16 port digiboard would be hard to find. On the software side, I use some scanner software (with a modern scanner) that is about 10+ years old as similar to MS Office, I have a license for it, and use almost daily some functionality that the vendor removed from all newer releases. In fact I still have a windows 98 laptop that must be close to 20 years old that I keep around for the odd time I need terminal emulation (long story why newer stuff doesn't work as well) but this is not *on* my network and will remain standalone.

Bottom line, there are reasons to keep legacy systems around, just do what you can to mitigate the risk level.
 
Last edited:

YrbkMgr

Occasional Visitor
Just have a recovery plan for the worst case scenario.
Exactly.

The issue is risk mitigation, not risk elimination. Further, a distinction should be made between risk mitigation on a home LAN v. corporate networks. Consider food borne disease - restaurant kitchens have to employ different mitigation efforts than those in the home. I feel that repurposing legacy equipment is a responsible way to be "green".

Thanks to everyone for a scintillating conversation.

As a follow up, I have yet to receive any more AI Protection notifications. Now on that last matter....

Does anyone have any insight regarding my post Trend Micro site in Chinese above?
 

Frost

Occasional Visitor
You have something malicious running on the HP laptop , try these to remove it.


RKill this kills malicious processes and allows your AV to work correctly.


ADW Cleaner removes adware and unwanted programs etc.


TrendMicro Housecall free Antivirus scan/clean that runs external to the infected device.
TrendMicro Malicious

Do I have to worry?

TrendMicro has blocked different exelator.com last couple of days. The latest: loada.exelator.com

Threat Source Destination

Scam Desktop-UFH---- Loada.exelator.com


Am I right that the “problem” has already infected my PC ? If so, how has this happened?

Https is enabled with certification, and also an OpenVPN is activated (Exp---)

The RT-AX86U version 386.3_2 was upgraded to 384 alpha3, but I returned to 386.3_2 when the problem occurred.

Today I have installed and scanned with free trials: Malwarebytes and SpyHunter.

First Malwarebytes advised to block a passage in both Chrome and Edge, and then SpyHunter found nothing.

The router and PC is connected with wire, and ViFi is only used when installing router upgrading.

I understand the ---.exelator.com is a real problem, and I need advice to safely remove it if, it is still active
 

bbunge

Part of the Furniture
TrendMicro Malicious

Do I have to worry?

TrendMicro has blocked different exelator.com last couple of days. The latest: loada.exelator.com

Threat Source Destination

Scam Desktop-UFH---- Loada.exelator.com


Am I right that the “problem” has already infected my PC ? If so, how has this happened?

Https is enabled with certification, and also an OpenVPN is activated (Exp---)

The RT-AX86U version 386.3_2 was upgraded to 384 alpha3, but I returned to 386.3_2 when the problem occurred.

Today I have installed and scanned with free trials: Malwarebytes and SpyHunter.

First Malwarebytes advised to block a passage in both Chrome and Edge, and then SpyHunter found nothing.

The router and PC is connected with wire, and ViFi is only used when installing router upgrading.

I understand the ---.exelator.com is a real problem, and I need advice to safely remove it if, it is still active
After years of no AiProtect hits my router has blocked this same scam this weekend from several clients. Pretty sure it is coming from browsing and not an infection.
 

OzarkEdge

Part of the Furniture
After years of no AiProtect hits my router has blocked this same scam this weekend from several clients. Pretty sure it is coming from browsing and not an infection.

I also have a sudden spike in AiProtection - Malicious Sites Blocking related to *exelator.com. Last signature update is dated 10/28. At least AiP is doing something!

OE
 

bbunge

Part of the Furniture
I also have a sudden spike in AiProtection - Malicious Sites Blocking related to *exelator.com. Last signature update is dated 10/28. At least AiP is doing something!

OE
I have been trying to figure this out. You all know that I have to try things. Three days ago I set up Pi-Hole with Unbound. Removed the included block list and added three malware block lists. Left the router to use DoT to Quad9. My initial thoughts when I saw the AiProtection hits was that the Pi-Hole let those through with Unbound as a recursive server. Removed Unbound from the Pi-Hole and set it to use Quad9 with DNSSEC - same malware blocklists. AiProtect blocked another scam site. I am now back to Cloudflare Secure over DoT on the router with the Pi-Hole removed.
Interesting that at about the time AiProtect started to block scams the BBC News app on my Android tablet and phone started crashing. I can't prove that the app is the cause as it was last updated a month ago.
Maybe this has suddenly turned to DNS Hell! Asus - please get DNS Filter back on your firmware!!!
 
Similar threads
Thread starter Title Forum Replies Date
P Create exception for: Vulnerability Protection ASUS AC Routers & Adapters 9

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top