AiProtection Malicious Sites Blocking vs DNS blocking

[decker]

If I use a DNS that protects against malware (like 9.9.9.9 or 1.1.1.2) can I disable the AIProtection setting for Malicious Sites Blocking? Is it redundant to have that enabled? I have people in the house who are less savvy about malware so having Malicious Sites Blocking enabled is convenient but I don't like having sites blocked for myself. If using a custom DNS on the router does the same thing I can use a different DNS on my device and not have to deal with potential false positives with blocked sites.

Which one is better? Do they both basically block the same websites?

 

[bbunge]

I use both. DNS 1.1.1.2, 1.0.0.2 with DoT and DNSSEC along with AiProtection. Never have had what you call a false positive. Seldom get anything blocked by AiProtect.
However, I manage a friend's router and they use Quad9 and AiProtect. When their kids come home AiProtect blocks upwards of a hundred hits a day!

So, use both. Be safe. Also use an add blocker in the web browser like ublock origin.

 

[decker]

Ok thanks I guess I'll use both.

 

[drinkingbird]

If I use a DNS that protects against malware (like 9.9.9.9 or 1.1.1.2) can I disable the AIProtection setting for Malicious Sites Blocking? Is it redundant to have that enabled? I have people in the house who are less savvy about malware so having Malicious Sites Blocking enabled is convenient but I don't like having sites blocked for myself. If using a custom DNS on the router does the same thing I can use a different DNS on my device and not have to deal with potential false positives with blocked sites.

Which one is better? Do they both basically block the same websites?

Aiprotect isn't great but more security rarely hurts (unless it is limiting your speed). DNS looks at strictly the hostname you're looking up, aiprotection looks at the URL. So for example shareddomain.com may be fine and DNS won't flag it but shareddomain.com/somepage may be bad and your browser or aiprotection will hopefully catch it.

There are much better solutions out there, built into browsers, antivirus extensions in browsers, etc, but I leave it on for when a guest uses my network or in case an app on my phone tries to hit something etc.

 

[decker]

Aiprotect isn't great but more security rarely hurts (unless it is limiting your speed). DNS looks at strictly the hostname you're looking up, aiprotection looks at the URL. So for example shareddomain.com may be fine and DNS won't flag it but shareddomain.com/somepage may be bad and your browser or aiprotection will hopefully catch it.

There are much better solutions out there, built into browsers, antivirus extensions in browsers, etc, but I leave it on for when a guest uses my network or in case an app on my phone tries to hit something etc.

Hmm seems like DNS malware protection is quite useless then if it can be circumvented that easily. I do see AIProtection blocking sites consistently so it seems to be helping. None of my housemates use any kind of malware protection for their phones so AIP is probably good for that at least.

 

[drinkingbird]

Hmm seems like DNS malware protection is quite useless then if it can be circumvented that easily. I do see AIProtection blocking sites consistently so it seems to be helping. None of my housemates use any kind of malware protection for their phones so AIP is probably good for that at least.

DNS protection has plenty of valid uses. Blocking adult sites is very easy with DNS (assuming someone doesn't use DOH or fire up a VPN, which circumvents it). There are plenty of domains that are malicious and should be blocked. But even aiprotection can be circumvented using a VPN. Nothing is bulletproof, you use as many layers as you can and try to teach good net hygiene to your users, which is in fact the only true protection - all these other measures are just safety nets with big holes in them.

First level is the user
Second level is the PC/browser
Third level is your network, whether it be packet inspection like aiprotection or DNS filtering, etc. Best is a proxy server with SSL intercept coupled with intrusion and virus detection/prevention but that isn't likely in a home environment.

In an enterprise environment, those may change order a bit (not order of importance, but order of where you focus, as no matter how many training classes you have, 1 out of 1000 people will click the malicious link every single damn time).

 

[drinkingbird]

Hmm seems like DNS malware protection is quite useless then if it can be circumvented that easily. I do see AIProtection blocking sites consistently so it seems to be helping. None of my housemates use any kind of malware protection for their phones so AIP is probably good for that at least.

Aiprotection never hits for my stuff (my browser will catch before that, and typically false positives, or sites I know contain info on hacking or other stuff that the filters may consider "risky"). However guests phones with every game and random app in the world installed, it blocks hundreds of things within a few minutes.

It is interesting to see with Apple being so strict about their app store and claiming it is so much safer, those apps still are doing plenty of questionable things and being blocked. Not as much as android, but more than enough to raise concern.

 

[Gary Mc]

Came across this post while looking for something else and will add a couple things that I know to be true, first and foremost back a few years ago I used AI Protect for 'malicious' sites and I found it was blocking certain sites that had nothing to do with malware or phishing but political. Scroll through the log but it depends obviously on you visiting one of these sites.
Secondly I can verify that DNS protection works as I just signed up for Control D and while I am still learning I had to turn off a couple categories I had set up in my privacy profile because I noticed I was not getting to a few sites and after I unchecked them they worked.

 

[drinkingbird]

Came across this post while looking for something else and will add a couple things that I know to be true, first and foremost back a few years ago I used AI Protect for 'malicious' sites and I found it was blocking certain sites that had nothing to do with malware or phishing but political. Scroll through the log but it depends obviously on you visiting one of these sites.
Secondly I can verify that DNS protection works as I just signed up for Control D and while I am still learning I had to turn off a couple categories I had set up in my privacy profile because I noticed I was not getting to a few sites and after I unchecked them they worked.

They both work for what they're intended to work for, and both are prone to false positives as well.

It is likely that the "political" site was infected with some malware at some point (potentially a banner ad, even Microsoft has had that happen to them) and the blocking had nothing to do with politics at all.

 

[Gary Mc]

They both work for what they're intended to work for, and both are prone to false positives as well.

It is likely that the "political" site was infected with some malware at some point (potentially a banner ad, even Microsoft has had that happen to them) and the blocking had nothing to do with politics at all.

Certainly possible but in this heightened world of censorship its possible sites were blacklisted for other reasons.

But what you said is certainly possible.

Do you know or is there a way of knowing how sites get added to it?

 

[drinkingbird]

Certainly possible but in this heightened world of censorship its possible sites were blacklisted for other reasons.

But what you said is certainly possible.

Do you know or is there a way of knowing how sites get added to it?

Not certain with Trend Micro but I have to assume it is like every other one out there, a combination of their staff being informed of major new threats, and information gathered from clients (part of the reason you need to sign consent to enable it). People can report sites as well and if enough do, it will automatically trigger a block pending a review.

Of course as companies reduce staff, they more and more let the algorithm block stuff and it won't get unblocked unless the site owner and/or many users nag them about it repeatedly.

My guess is most of their database is filled from heuristic detection from their antivirus clients on PCs, then that database (or a subset of it) gets pushed out to the routers.

 

[decker]

DNS protection has plenty of valid uses. Blocking adult sites is very easy with DNS (assuming someone doesn't use DOH or fire up a VPN, which circumvents it). There are plenty of domains that are malicious and should be blocked.

Right but if I was a smart malware creator and knew how to get around DNS protection I would do like your example and put all the malware on the sites other than the homepage. Or maybe malware creators don't care because they know most people don't use DNS protection and many don't use any kind of protection and they want to catch as many victims as they can who land on their homepage?

 

[Paliv]

Right but if I was a smart malware creator and knew how to get around DNS protection I would do like your example and put all the malware on the sites other than the homepage. Or maybe malware creators don't care because they know most people don't use DNS protection and many don't use any kind of protection and they want to catch as many victims as they can who land on their homepage?

That’s now how DNS blocking necessarily works. It is only an issue if multiple sites share the space, and DNS filtering can just block anything under that domain if the site is deemed malicious. A DNS lookup doesn’t skip the main subdomain because you went to a specific page. Also, some DNS blocking will block the entire IP if known to be malicious (ControlD). This can cause false positives if the IP is shared by multiple sites.

 

[decker]

That’s now how DNS blocking necessarily works. It is only an issue if multiple sites share the space, and DNS filtering can just block anything under that domain if the site is deemed malicious. A DNS lookup doesn’t skip the main subdomain because you went to a specific page. Also, some DNS blocking will block the entire IP if known to be malicious (ControlD). This can cause false positives if the IP is shared by multiple sites.

thx I'll just have to trust that it is doing something effective

 

[drinkingbird]

Right but if I was a smart malware creator and knew how to get around DNS protection I would do like your example and put all the malware on the sites other than the homepage. Or maybe malware creators don't care because they know most people don't use DNS protection and many don't use any kind of protection and they want to catch as many victims as they can who land on their homepage?

Yes. Like I said DNS filtering has its uses but it is by no means a single, bulletproof solution. It is one part of a strategy.

 

[drinkingbird]

That’s now how DNS blocking necessarily works. It is only an issue if multiple sites share the space, and DNS filtering can just block anything under that domain if the site is deemed malicious. A DNS lookup doesn’t skip the main subdomain because you went to a specific page. Also, some DNS blocking will block the entire IP if known to be malicious (ControlD). This can cause false positives if the IP is shared by multiple sites.

The point is a malware creator can use a shared hosting site/domain that is not 100% malicious. It happens all the time and DOES bypass DNS filtering because the main domain is not flagged as malicious. That's what I was saying.

Another example is them hosting malware on some site that is perfectly legit but they've found a hole somewhere. That may end up resulting in the main site getting flagged, it may not.