AiProtection: GUI always shows 0

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Theliel

Regular Contributor
Sorry back to the thread, but I wanted to wait a few weeks to see if in the end it gave signs of AirProtection is working or not, and I have to say no, that during all these weeks log are completely empty, which I can assure is not working fine. What's more, today I have seen a external brute force against RDP in my Windows Machine, something that was previously detected and blocked in the same Router.
 

Vexira

Part of the Furniture
I reset my router, and triggered a false positive with MSI live update, I have an MSI motherboard, and it shows up as a an event in the log being blocked, when the app tried to update.
 

Natey2

Regular Contributor
For whom is any of the AiProtection components working?
I'm on stock Asus firmware, and AiProtection works. Not sure how accurate it classifies threats though:


Sent using Tapatalk
 

Smokey613

Very Senior Member
I went to the wicar.org test page and AiProtection promptly blocked the 4 tests I ran. I then checked the AiProtection gui and it correctly shows my recent tests. It works great on my setup. BTW, I am in a CGNAT environment with my ISP even though I have their modem in bridge mode.
 

New2This

Senior Member
Wife's phone seems to be working :eek:

Ai.png
 

Theliel

Regular Contributor
There is no way, I have tried everything.

Could it be associated with this same problem?

https://www.snbforums.com/threads/e...qos-on-asus-rt-ax58u-breaks-everything.62919/

In my case IPTV is managed by a "superior" Router (There is no double NAT, the Internet connection is completely managed in Asus (PPPoE), and IPTV multicast traffic is accessed from the Asus network to the router above with a pair of routes and little else

-QoS seems to work, but does not respect the bandwidth limitation, already reported before.
-AiProtection does not work in any way, is not only about logging, dont work, tested.

Looking at the quoted thread, I've also tried disabling FC, disabling QoS or IGMP Proxy. Nothing seems to work

As I was saying, with the AC56u I never had problems with the exact same scheme.

I see that others that it works without problem with the AX58u, I imagine that it could be related to the aforementioned bug or something similar, maybe some setting... I will try tomorrow again with another full reset.

If anyone has any ideas, I'm all ears
 

Phil Outram

Regular Contributor
I have had the same problem for over a year. I managed to fix this problem with my RT-AX88U today doing the following:

1) factory reset via the router gui

2) formatted the jffs partition

3) cleared the nvram via holding down the wps button for 30 seconds whilst powering the router on, waiting a minute and then rebooting.

After all this completed I proceeded to set things back up again manually without restoring any backups.

I gave to admit it was a pita since I've got a lot of settings, the whole thing took about 2 hours to reconfigure and tidy back up again but it's all done now and aiprotection stats are working. I've also taken a new backup of it in this 'clean' state should it ever break again. Hopefully that will provide a quick fix should there be a next time.
 

L&LD

Part of the Furniture
Make sure you save the firmware you made the backup with, available with those backup config files. It will only provide a 'quick fix' if you haven't moved off that firmware. :)
 

Diamond67

Senior Member
I have the same problem now.

AiProtection - Malicious Sites Blocking seems to work but there won't be any events recorded nor graphs. Just zero...
 

RMerlin

Asuswrt-Merlin dev
I have the same problem now.

AiProtection - Malicious Sites Blocking seems to work but there won't be any events recorded nor graphs. Just zero...

You can try deleting the database, however the logging issues seems to be a long-time random issue that pops up now and then for certain models. Stop AiProtection, then delete the existing database:

Code:
rm -rf /jffs/.sys/AiProtectionMonitor/*

Then re-enable AiProtection.
 

Diamond67

Senior Member
You can try deleting the database, however the logging issues seems to be a long-time random issue that pops up now and then for certain models. Stop AiProtection, then delete the existing database:

Code:
rm -rf /jffs/.sys/AiProtectionMonitor/*

Then re-enable AiProtection.

Worked nicely! :)

A new and working database + two event.txt-files appeared almost immediately in /jffs/.sys/AiProtectionMonitor/ -directory and AiProtection - Malicious Sites Blocking and Two-Way IPS showed events/graphs after performing a quick test (https://www.wicar.org/test-malware.html).

I got email alerts successfully too (see the spoiler below).

AiProtection Events1.png


AiProtection Events2.png


AiProtection Events3.png
 

JIPG

Regular Contributor
Worked nicely! :)

A new and working database + two event.txt-files appeared almost immediately in /jffs/.sys/AiProtectionMonitor/ -directory and AiProtection - Malicious Sites Blocking and Two-Way IPS showed events/graphs after performing a quick test (https://www.wicar.org/test-malware.html).

I got email alerts successfully too (see the spoiler below).

Recently I have upgraded from my RT AC87U to a new RT AX88U, and I have installed the Merlin FW 386.1 (thank you Merlin & themiron for such a great work!). It is working great and I am trying to learn all new possibilities the new router has.

I have found, as you, that the AiProtection has no hits when with the AC87U I had severals hits every day (mainly vulnerability attacks). I have followed the same process switching off the AiProtection, erasing the folder content and re-initiating the AiProtection, and tested again with Trendmicro malware testing url. Now I have the occurrences in the GUI, but the blocked page has an empty warning description (translation: detailed description (blank), We recommend (blank)):

screen capture.jpg


In the AiProtection folder, I do not have the txt files as you, only the database file of occurrences (I do not know if this is related).

When you have tested the "fake malwares", have you had in the warning page any details of the occurrence?
 

Diamond67

Senior Member
In the AiProtection folder, I do not have the txt files as you, only the database file of occurrences (I do not know if this is related).

When you have tested the "fake malwares", have you had in the warning page any details of the occurrence?

@JIPG

I checked my AiProtectionMonitor directory again with WinSCP (with "Show hidden files" activated), and now there was only the database file (AiProtectionMonitor.db) visible. No more text files. Maybe those txt-files were created only temporarily by AiProtection when the first events were monitored with the fresh database? Don't know.

When I tested the wicar site with my mobile phone browser (Brave) I got this kinda warning:

AiProtection test - Copy.jpg


But this time I didn't get the warning email from my router... :mad:

edit: Just noticed that those .txt-files that I mentioned earlier were sent to me (as attachments) when I got the email alerts. But now when I did not get the emails there were no .txt-files either.
 
Last edited:

Netbug

Regular Contributor
Funny enough for about 18 months i've not had a single hit/threat show in AI Protection on my RT-AC86U, and yes i do hard resets from time to time, prior to that i was getting regular hits. Testing on wicar.org and AI protection did nothing, no attempt to block me (yes all browser protection stuff was off for testing) I deleted database as RMerlin suggested, went to test website and finally worked.

I turned AI Portection off now, the thing that i find strange, i usually have around 29/34MB of free ram, always been like that which is fine, when i turn AI Protection off i gain around 110MB of free RAM, but after a few hours it drops back to around 29/34MB of free ram even though AI is turned off. Always been like that and i always wondered whether there is a memory leak or something in AI Protection which i know is closed source.
 

JIPG

Regular Contributor
@JIPG

I checked my AiProtectionMonitor directory again with WinSCP (with "Show hidden files" activated), and now there was only the database file (AiProtectionMonitor.db) visible. No more text files. Maybe those txt-files were created only temporarily by AiProtection when the first events were monitored with the fresh database? Don't know.

When I tested the wicar site with my mobile phone browser (Brave) I got this kinda warning:



But this time I didn't get the warning email from my router... :mad:

edit: Just noticed that those .txt-files that I mentioned earlier were sent to me (as attachments) when I got the email alerts. But now when I did not get the emails there were no .txt-files either.
@Diamond67 Thank you for the confirmation.
I have tried erasing again the database as Rmerlin recommended, and switching off and on the router after that, and the fake viruses (I expect) from wicar.com produces an increment in the count of events (good), but the in the device that triggers the "attack", the page with the the warning is still empty (no information about the origin or the type of malware).

Does anyone know if all this text (messages) are also written inside a specific folder inside nvram or jffs? (just to check).
 

5stringdeath

Regular Contributor
Mine has showed only zeros for some time now too. Glad i found this thread.
 

telUK

Regular Contributor
So is it better to just disable this feature now?

Always had it enabled, but currently have it off since upgrading to merlins 386.1, don't like to enable everything in one go after an update, but I might just leave this disabled.
 

Sonofdavidsfather

Occasional Visitor
You can try deleting the database, however the logging issues seems to be a long-time random issue that pops up now and then for certain models. Stop AiProtection, then delete the existing database:

Code:
rm -rf /jffs/.sys/AiProtectionMonitor/*

Then re-enable AiProtection.

Thanks for the help again. My logging is working again. It's things like this that make me glad I picked this router and joined this community.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top