AIProtection Alert - Troubleshooting the offending app

martinr

Part of the Furniture
Something on my iPhone tries to contact autodoc.bg.



I’m running Merlin’s firmware (384.16) on an RT-AC68U along with Skynet, Diversion, Unbound Manager. I have all modules in AIProtection enabled.

I get the occasional email alert (sometimes up to 2/3 times a week, sometimes once every month or 2) from AIProtection that tells me a request to autodoc.bg was blocked on my iPhone. I have used this firm happily several times for car parts. So I uninstalled their app, but it made no difference. I’ve gone through all the browser tabs and closed any for autodoc. Again, that didn’t stop the occasional alert.

I’m intrigued to know what on my iPhone is trying to contact this site. It’s only because AIProtection has flagged this site that I know something (some app?) is trying to connect, which makes me wonder what else is going on ordinarily without AIProtection objecting.

From one to 3 attempts are usually made, only seconds apart. Of course, AIProtection, only tells me the device, the time and the domain, not the app behind the connection.

Hoping to see what’s happening at the time, I have now turned on email alerts and automatic fetching for the AIProtect account: the AIProtection alert is emailed as soon as the domain is requested. Any tips/suggestions to get to the bottom of this would be welcome.

(Maybe this question’s better suited ti an iPhone security forum, if there is one?)
 
Last edited:

Natey2

Regular Contributor
My Asus router AiProtection also indicates threat category: Spam, Phishing, Malware Accomplic, Made for AdSense sites, etc.
What was the threat listed for that site?

And almost all of it comes from my kid's iPhone, not my Android phone or Windows PCs.


Sent using Tapatalk
 

AndreiV

Very Senior Member
So I uninstalled their app, but it made no difference.
I had a problem with an app on my Android 10 phone. That was connecting home after I uninstalled it. Ran a cleaner/optimizer and it was still doing the same. Digging around the phone I found folders for the offending app still present.

Maybe the same happens on iPhones?
 

martinr

Part of the Furniture
Didn’t think of that. Given Apple’s reputation for one of the most secure (least insecure?) operating systems, you’d expect a thorough deletion of all files. (And you’d hope Apple’s vetting of all apps would pick up unauthorised phoning home.). And I’m not sure there’s any way to root around inside a non-jailbroken Apple phone. If it comes to it, I could try resetting the phone and restoring all settings on the assumption that deleted files don’t return, too.

Thanks for the idea and help.
 
Last edited:

martinr

Part of the Furniture
My Asus router AiProtection also indicates threat category: Spam, Phishing, Malware Accomplic, Made for AdSense sites, etc.
What was the threat listed for that site?

And almost all of it comes from my kid's iPhone, not my Android phone or Windows PCs.


Sent using Tapatalk
The threat listing is “Malicious Sites Blocking”
 

AndreiV

Very Senior Member
The threat listing is “Malicious Sites Blocking”
If the site is known and you are happy with it simply whatelist it. maybe AiProtection is getting it wrong ( which it does).
 
Last edited:

martinr

Part of the Furniture
If the site is known and you are happy with it simply whatelist it. maybe AiProtection is getting it wrong ( which it does).
(No need to whitelist: both the app and the website worked perfectly anyway, despite that specific domain being clocked as malicious and blocked by AIProtection.)

It’s not the possibility of AIProtection getting it wrong (eg a false positive) that bothers me at all. What AIProtection has done (rightly or wrongly), and I’m really grateful to it, is to alert me to something on my iPhone ‘phoning home’ and, more importantly, still doing so after I had taken obvious steps to stop it. Even if those steps had worked, I’d still be very concerned that unauthorised ‘phoning home’ can take place. And it makes me wonder: for the one attempt AIProtection caught, are there another 99 successful connections by other bits of code ‘phoning home’ to domains not listed as malicious?

And this event has prompted me to do something I had been considering for a while: I turned OFF Skynet’s importing data from AIProtection. This way, I’d get an email every time AIProtection spots something, whereas if I left it ON, I’d only get the first email and, thereafter, unless I rigorously checked Skynet’s log, I’d forget all about it and be unaware that anything was continuing to ‘phone home’ because Skynet would have taken over control of the blocking for that IP address.
 

RMerlin

Asuswrt-Merlin dev
Trend Micro's WRS labels it at a spam domain, but safe. So it's probably used for in-app ads.

upload_2020-5-23_16-19-48.png
 

AndreiV

Very Senior Member
@RMerlin that website does not return the same classification as the AiProtection in Asus:





Sent using Tapatalk
That is quite possible. Are the definitions/signatures on your router up to date with what the TrendMicro site is using?

Sites get reclassified by users every day, sites remove malware and malicious content , the site is then clear but your TM signatures can be a few days behind.
 

Natey2

Regular Contributor
I don't see an option to update the TrendMicro malware signatures via the router. Maybe the signatures are remote.
I was at Asus Firmware Version:3.0.0.4.384_81116
Just updated to Version: 3.0.0.4.385.20490

The AiProtection interface is a little different now under the "Malicious Sites Blocking" tab.

Sent using Tapatalk
 

Natey2

Regular Contributor
GUI > Administration > Firmware Upgrade > Signature version
Thanks! Makes sense now.
I thought that was some signature related to the Asus firmware and not TrendMicro AiProtection. Gotta click on that every week or so?


Sent using Tapatalk
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top