Is AiProtection not working on latest 384.11 Merlin's firmware???

[Teymur]

Hi guys,

I have RT-AC3200 running latest (384.11) Merlin's firmware. What I've been noticing is that AiProtection doesn't report anything. I'd usually have a lot of IPS reports. but now everything is just 0 . It seems to me like it's not working. I did never withdraw sharing information with Trend Micro (Administration>Privacy).
Does anyone experience the same? Please share your thoughts. Anything would be helpful. How do I check if it's working? Is there a way of triggering it just to see if it blocks anything and reports?

Regards

Teymur

 

[Delusion]

It works... you can try this test (download the txt ):
You should see TWO-WAY IPS hits :
http://2016.eicar.org/85-0-Download.html

And also this is blocked by AiProtection:

5ka.ru.com


But I and many have issues with AiProtection . Dcd crashes sometimes , for example when you do get a hit and sometimes I saw it crash after updating Diversion blocking list... Maybe Diversion or Skynet makes it crash , I don;t know but even when dcd crashes , AiProtection still works . Hope there will be a solution . After the crash, the ram goes up by 5% and disabling and enabling AiProtection frees ram after the crash..

(dcd is something related to AiProtection):

May 13 00:16:46 kernel: dcd[1878]: unhandled level 3 translation fault (11) at 0x00000000, esr 0x92000007
May 13 00:16:46 kernel: pgd = ffffffc00b592000
May 13 00:16:46 kernel: [00000000] *pgd=000000000b7b9003, *pud=000000000b7b9003, *pmd=000000000b7b8003, *pte=0000000000000000
May 13 00:16:46 kernel: CPU: 1 PID: 1878 Comm: dcd Tainted: P           O    4.1.27 #2
May 13 00:16:46 kernel: Hardware name: Broadcom-v8A (DT)
May 13 00:16:46 kernel: task: ffffffc01e0335c0 ti: ffffffc00b7c8000 task.ti: ffffffc00b7c8000
May 13 00:16:46 kernel: PC is at 0xf6ec9f44
May 13 00:16:46 kernel: LR is at 0x1dc74
May 13 00:16:46 kernel: pc : [<00000000f6ec9f44>] lr : [<000000000001dc74>] pstate: 600e0010
May 13 00:16:46 kernel: sp : 00000000ffc4dc58
May 13 00:16:46 kernel: x12: 000000000009ff08
May 13 00:16:46 kernel: x11: 00000000f61ff024 x10: 00000000000a02ac
May 13 00:16:46 kernel: x9 : 00000000f61ff798 x8 : 00000000000a0764
May 13 00:16:46 kernel: x7 : 00000000f61ff7d0 x6 : 00000000000a075e
May 13 00:16:46 kernel: x5 : 0000000000000000 x4 : 00000000f61ff77c
May 13 00:16:46 kernel: x3 : 0000000000000000 x2 : 00000000ffc4dc34
May 13 00:16:46 kernel: x1 : 000000000007c66c x0 : 0000000000000000

 

[Teymur]

It works... you can try this test (download the txt ):
You should see TWO-WAY IPS hits :
http://2016.eicar.org/85-0-Download.html

And also this is blocked by AiProtection:

5ka.ru.com

Hi Delusion,

Thanks a lot. This actually triggered it. I now can see reports in AiProtection. I'd usually get tons of reports every day, especially the ones from IPS. I don't personally believe that my ISP's spent money to install an expesive hardware/software to prevent all the attacks before they reach me. The reason i've posted this is that these last 2 days I'm being constantly accessed from few IPs (213.227.134.165 and 188.166.88.55) they try to access the router on port 8443 which is enabled to access from WAN. I had to change the port and I still see those IPs trying to establish the connection on port 8443. The firewall keeps dropping the packets.

Regards

Teymur

 

[L&LD]

Hi Delusion,

Thanks a lot. This actually triggered it. I now can see reports in AiProtection. I'd usually get tons of reports every day, especially the ones from IPS. I don't personally believe that my ISP's spent money to install an expesive hardware/software to prevent all the attacks before they reach me. The reason i've posted this is that these last 2 days I'm being constantly accessed from few IPs (213.227.134.165 and 188.166.88.55) they try to access the router on port 8443 which is enabled to access from WAN. I had to change the port and I still see those IPs trying to establish the connection on port 8443. The firewall keeps dropping the packets.

Regards

Teymur

You really should close that open WAN port. Now.

 

[Gar]

Hi guys,

I have RT-AC3200 running latest (384.11) Merlin's firmware. What I've been noticing is that AiProtection doesn't report anything. I'd usually have a lot of IPS reports. but now everything is just 0 . It seems to me like it's not working. I did never withdraw sharing information with Trend Micro (Administration>Privacy).
Does anyone experience the same? Please share your thoughts. Anything would be helpful. How do I check if it's working? Is there a way of triggering it just to see if it blocks anything and reports?

Regards

Teymur

AiP has had a rough history for me. With past firmwares it has indicated zero or many hits depending on the f/w version in use at the time. I don't know if that means it doesn't work at all, or it just doesn't indicate it is working, or there really weren't any hits. I show only a few hits so far since 384.11 was released. I don't rely on the indications.

Will try the test.

 

[L&LD]

Depending on if Skynet and Diversion are also installed and running on the router, it will show even fewer hits too.

 

[Delusion]

Depending on if Skynet and Diversion are also installed and running on the router, it will show even fewer hits too.

Would you recomend disabling it if running Diversion and Skynet (and firewall with DoS protection enabled )? Less ram used and no more dcd crashing ..

Some minutes ago I had dcd crash, ram was 91%, after disabling AIProtection the ram used is now down to 82%

 

[Teymur]

Depending on if Skynet and Diversion are also installed and running on the router, it will show even fewer hits too.

Hi,

Sorry, what's Skynet and Diversion, and why would they be installed on the router?

Teymur

 

[L&LD]

Would you recomend disabling it if running Diversion and Skynet (and firewall with DoS protection enabled )? Less ram used and no more dcd crashing ..

Some minutes ago I had dcd crash, ram was 91%, after disabling AIProtection the ram used is now down to 82%

Hi,

Sorry, what's Skynet and Diversion, and why would they be installed on the router?

Teymur

I would recommend the opposite, actually. AiProtection, Skynet and Diversion work very well together to protect our routers and networks.

https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/

With a spare USB drive and a configured swap file via amtm, I would ignore any RAM used percentages unless they started causing your router/network genuine problems. Linux knows how to best handle the physical RAM it has available and it is best for performance when it uses as much as it can.

https://www.snbforums.com/threads/release-skynet-router-firewall-security-enhancements.16798/

https://www.snbforums.com/threads/diversion-the-router-ad-blocker.48538/

The links above are for informational purposes, I recommend installing these scripts after following the amtm Step-by-Step guide and also by using amtm too for those installs.

 

[Treadler]

Hi guys,

I have RT-AC3200 running latest (384.11) Merlin's firmware. What I've been noticing is that AiProtection doesn't report anything. I'd usually have a lot of IPS reports. but now everything is just 0 . It seems to me like it's not working. I did never withdraw sharing information with Trend Micro (Administration>Privacy).
Does anyone experience the same? Please share your thoughts. Anything would be helpful. How do I check if it's working? Is there a way of triggering it just to see if it blocks anything and reports?

Regards

Teymur

AiProtect has not been reporting anything under IPS for some time. I think the advice from Merlin was it’s still working, just not reporting.

 

[Treadler]

Hi Delusion,

Thanks a lot. This actually triggered it. I now can see reports in AiProtection. I'd usually get tons of reports every day, especially the ones from IPS. I don't personally believe that my ISP's spent money to install an expesive hardware/software to prevent all the attacks before they reach me. The reason i've posted this is that these last 2 days I'm being constantly accessed from few IPs (213.227.134.165 and 188.166.88.55) they try to access the router on port 8443 which is enabled to access from WAN. I had to change the port and I still see those IPs trying to establish the connection on port 8443. The firewall keeps dropping the packets.

Regards

Teymur

+1! Close that port!
Turn off access from WAN.

 

[Treadler]

Would you recomend disabling it if running Diversion and Skynet (and firewall with DoS protection enabled )? Less ram used and no more dcd crashing ..

Some minutes ago I had dcd crash, ram was 91%, after disabling AIProtection the ram used is now down to 82%

Dcd crashes on RT-AC86U are a known bug, to be fixed by Asus one day......
My 86 certainly has the issue.

 

[Treadler]

Hi,

Sorry, what's Skynet and Diversion, and why would they be installed on the router?

Teymur

Amtm, Skynet & Diversion do great things for your internet experience.
Chop out a whole lot of advertising/bad guys junk.
Well worth the time & effort to set up.
L&LD step by step amtm set up is your starting point. Everything starts making sense then.
Enjoy the journey!

 

[Teymur]

+1! Close that port!
Turn off access from WAN.

I've changed the port already to some random port number. If access from WAN is disabled there is no way the ASUS apps will work to remotely monitor the router which I really like, even tho the apps could've been better and maybe used another way of getting into the router. I think if there is no other way to make the apps work with WAN access disabled, I will end up closing the WAN access completely. I keep watching the syslog for the firewall.

Amtm, Skynet & Diversion do great things for your internet experience.
Chop out a whole lot of advertising/bad guys junk.
Well worth the time & effort to set up.
L&LD step by step amtm set up is your starting point. Everything starts making sense then.
Enjoy the journey!

This one is for sure, once I get some time I'll install.
I also wish that Merlin's firware had a openwrt-like GUI for firewall rules and interface/vlan setups.
Regards

Teymur

 

[L&LD]

I've changed the port already to some random port number. If access from WAN is disabled there is no way the ASUS apps will work to remotely monitor the router which I really like, even tho the apps could've been better and maybe used another way of getting into the router. I think if there is no other way to make the apps work with WAN access disabled, I will end up closing the WAN access completely. I keep watching the syslog for the firewall.


This one is for sure, once I get some time I'll install.
I also wish that Merlin's firware had a openwrt-like GUI for firewall rules and interface/vlan setups.
Regards

Teymur

Use a VPN to access your router from outside your network. OpenVPN server works great with a random public port number.

 

[Treadler]

I've changed the port already to some random port number. If access from WAN is disabled there is no way the ASUS apps will work to remotely monitor the router which I really like, even tho the apps could've been better and maybe used another way of getting into the router. I think if there is no other way to make the apps work with WAN access disabled, I will end up closing the WAN access completely. I keep watching the syslog for the firewall.


This one is for sure, once I get some time I'll install.
I also wish that Merlin's firware had a openwrt-like GUI for firewall rules and interface/vlan setups.
Regards

Teymur

Use AiProtect > Network Protection > Scan.
Fix anything/everything that it suggests. That will give you a basic start point for router security. Puts a guard on the gate.

Amtm/Diversion/Skynet gives the guard firepower!

 

[joe68000]

I've seen the threads about AiProtect vs Diversion+Skynet, but I still don't understand. What exactly does AiProtect provide that Diversion+Skynet does not?

 

[Treadler]

I've seen the threads about AiProtect vs Diversion+Skynet, but I still don't understand. What exactly does AiProtect provide that Diversion+Skynet does not?

Just another option for keeping malware out of the network. Doesn’t seem to be any performance overhead, so the more the merrier!

What one might miss, another of the trio might block?

 

[Mutzli]

Actually Skynet works together with AiProtect by also entering IP addresses that were blocked to Skynet's black list if enabled in the settings

 

[martinr]

To elaborate on what Mutzil wrote: in Skynet go to Settings 11 and the enable Ban AIProtect under Option 7