What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Does AiProtection really work?

Tech9 said:
adguard.com

The Chronicle of AdGuard

This is the AdGuard's story from the "prehistoric times" until today. All ups and downs, old offices, hideous interfaces and other amazing stuff.
adguard.com adguard.com
Click to expand...
Good to know about the Russian connection. AG started acting weird on my router recently, so I went back to Diversion. AG is fun to play around with, has great reporting & logging. Diversion has much of the same, seems to integrate better w/ Merlin, and other features found in AG can be configured on other parts of the router, like assuring that the router is the exclusive provider of DNS by blocking 53, 853, 80/443 UDP & so on (DNS Director works and then doesn't). Diversion has it's quarks, but generally seems to be stable.

AIProtect, I believe over the last few months with the news about Asus routers having certain CVEs I found that one of the functions of the IDS/IPS portion is to prevent those vulnerabilities from being exploited on the router--if you haven't updated or receive a new device that may have been on the shelf for a while. If you decide to turn AIProtect off then you might not have protection and should probably be sure to update your router anytime an update is released...

On another note, I wanted to see what the AIProtect option in Skynet was about--to see what entries would be added when you select "Add AIProtect Data". I had ClaudeAI put together a script. As far as I can tell it doesn't make any external calls or run outside of its' lanes (only pulls the sql data and formats it). The attached script, I placed in my /jffs/scripts folder. After running the script, the database really doesn't have all that much information in it other than what's easily found in the WebGUI.. There's an option to export that data into a report, however I haven't tried that menu option.... Thought I would upload it, in case someone is interested. YMMV as it has only been tested on an AX86u, so you may have to make adjustments to the script for it to work & a "chmod +"? once you save it.... In other words, I currently don't have the time to support it, however if you want to see what's in the AIProtect database this does that and a little more...
 

Attachments

I support a few Asus routers remotely, the signature file shows version 2.464 from Jul 2025.
 
Adguard is Russian. It seems to always be the one complaining in logs about DNS rebind security issues when I tried a couple of years ago using their DNS resolvers.

  1. I use Cloudflare's Family DNS over TLS, with DNS Sec. Cloudflare Family does Malware and Adult. Remember, many adult sites and adverts on them are booby trapped in terms of malware.
  2. Validation of unsigned DNSSec replies
  3. DNS rebind protection enabled.
  4. I use Microsoft's Smartscreen and Defender on Windows PCs.
  5. Windows PC's locked down further by group policies and disabling of non important services (like telemetry)
  6. Auto Update enabled on other family member devices.
  7. On windows, remove some components not required by DISM (e.g. Windows Recall).
  8. Android and Apple devices configured to be more secure than default by disabling any "leakage" of data where possible.
  9. No old protocols in use like SMB v1 on any device.
  10. WPA3 and MAC filtering (yes, MAC filtering is not absolute, just another step to make it harder for casual)
  11. Long SSID passkey with complex characters and non-dictionary words
  12. Isolate WiFI devices from other VLANS / Intranet
  13. All devices must use the DNS over TLS as it's set to force on Asus router.
  14. AI Protection is ON and caught stuff on a regular basis, mainly, but not limited to, things like adverts being a scam.
  15. I use Diversion and LARGE list for Ad blocking.
  16. DoS enabled on routers and switches (my switches are managed types).
  17. WiFi devices over SharkSurf VPN at router level.
  18. VLANS setup on router (GT-BE98)
  19. Machines/Switches and software are patched.
  20. Any web facing servers behind reverse proxy and Cloudflare (free) as two stage certs between host and clients and hides home IP. Most security options enabled there.
  21. Client Outlook configured to block any countries deemed not required for emails (UK/Eire/US/Australia/NZ/Europe OK but others not so)
  22. SkyNet block certain countries unlikely to ever visit their URLS (North Korea etc)
  23. Review of privacy and security options at Google and Microsoft including setup of 2FA.

Defence in Depth for me. Just some of the stuff I've done.
 
Last edited:
Unisoft said:
Adguard is Russian. It seems to always be the one complaining in logs about DNS rebind security issues when I tried a couple of years ago using their DNS resolvers.

  1. I use Cloudflare's Family DNS over TLS, with DNS Sec. Cloudflare Family does Malware and Adult. Remember, many adult sites and adverts on them are booby trapped in terms of malware.
  2. Validation of unsigned DNSSec replies
  3. DNS rebind protection enabled.
  4. I use Microsoft's Smartscreen and Defender on Windows PCs.
  5. Windows PC's locked down further by group policies and disabling of non important services (like telemetry)
  6. Auto Update enabled on other family member devices.
  7. On windows, remove some components not required by DISM (e.g. Windows Recall).
  8. Android and Apple devices configured to be more secure than default by disabling any "leakage" of data where possible.
  9. No old protocols in use like SMB v1 on any device.
  10. WPA3 and MAC filtering (yes, MAC filtering is not absolute, just another step to make it harder for casual)
  11. Long SSID passkey with complex characters and non-dictionary words
  12. Isolate WiFI devices from other VLANS / Intranet
  13. All devices must use the DNS over TLS as it's set to force on Asus router.
  14. AI Protection is ON and caught stuff on a regular basis, mainly, but not limited to, things like adverts being a scam.
  15. I use Diversion and LARGE list for Ad blocking.
  16. DoS enabled on routers and switches (my switches are managed types).
  17. WiFi devices over SharkSurf VPN at router level.
  18. VLANS setup on router (GT-BE98)
  19. Machines/Switches and software are patched.
  20. Any web facing servers behind reverse proxy and Cloudflare (free) as two stage certs between host and clients and hides home IP. Most security options enabled there.
  21. Client Outlook configured to block any countries deemed not required for emails (UK/Eire/US/Australia/NZ/Europe OK but others not so)
  22. SkyNet block certain countries unlikely to ever visit their URLS (North Korea etc)
  23. Review of privacy and security options at Google and Microsoft including setup of 2FA.

Defence in Depth for me. Just some of the stuff I've done.
Click to expand...

Is ad blocking in your list?

OE
 
Unisoft said:
Adguard is Russian. It seems to always be the one complaining in logs about DNS rebind security
Click to expand...

Like all other upstream filtering services returning 0.0.0.0. It's an old Russian DNS rebind trick.

Unisoft said:
Just some of the stuff I've done.
Click to expand...

Won't hurt to learn what some of the stuff on your list does and how. It's close to "how to torture my family members better with what I found on Internet" category. Completely unrelated to the original question about AiProtection.
 
Tech9 said:
The signatures file AiProtection uses updates infrequently. Chances to catch something new are slim.
Click to expand...
Tech9, the point is that a signature file can likely be released much more quickly than a firmware update. Even if it updates infrequently, if you watch things like the botnet ipset blocklist in Skynet, they often don't update except every few days, or even weeks I've seen. I suspect that Trend basically uses that same blocklist for the "infected device..." portion of AIProtection, which says it's for botnets/zombies, except a more customized list based on their own observations...
 
For advanced users I'd recommend a custom blocklist in Diversion, using one of the pre-defined list. Even the smallest one works pretty good IMO. The Hagezi threat intel feed is essential, which doesn't really block ads......


Adding that into your custom blocklist, even though it's updated 2 times a week, probably compliments Skynet pretty well...

As an edit: I think Diversion could update daily with recent improvements in bandwidth as compared to when it was first released... One good thing about AG is that you can update hourly, which is likely unnecessary when paired with the built-in TrendMicro site filtering...
 
You can view the ruleset in /tmp/bwdpi/bwdpi.rule.db. I was actually surprised to see a couple of CVEs from 2025 in their database.

The latest ruleset was published on Thursday, June 19, 2025 11:35:03 PM.
 
You must log in or register to reply here.

Similar threads

torstein
Question: AiProtect, is it adding anything of value security-wise?
Replies
8
Views
5K
Yota
Yota
J
Compiling a extreamly basic Asus firmware stripped of every single add-on made
Replies
4
Views
2K
Hawk
Hawk
E
300 attacks since 6. november ?
Replies
9
Views
4K
MichaelCG
M
elegil
Questions about AiProtection and DPI
Replies
11
Views
6K
RMerlin
RMerlin
xendi
What Data Is Sent to Trend Micro For Each Of These Features?
Replies
17
Views
17K
Tech9
Tech9
Similar threads
Thread starter Title Forum Replies Date
heysoundude Can anybody explain what "Special Requirement from ISP" does? ASUSWRT - Official 3

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,572 (members: 21, guests: 1,551)
Back
Top