Performance impacts from Trend "AI Protection" features

[neil0311]

Have a RT-AC68P and updated to 378.51 and noticed the new "AI Protection" features such as Malicious Site Blocking, Vulnerability Protection, and Infected Device Prevention and Blocking and enabled them. I am curious what is the impact to performance from enabling them?

What is the hit to network performance and CPU? I noticed what appears to be a small increase in radio and CPU temps, but nothing serious. Is it placebo or is there a penalty when you enable?

 

[Nullity]

I have not seen any numbers but only the ARM chipsets got the Trend Micro firewall because the MIPS cpu could not handle it.

I think it is a layer-7/application-layer firewall, which is well known for requiring more processing than standard firewalls.

 

[RMerlin]

The Trend Micro engine is actually quite efficient. When it originally debuted in the RT-AC87U, I did some benchmarking using iperf between LAN and WAN with Adaptive QoS enabled. I was able to reach over 500 Mbps of throughput then, which ain't bad at all.

 

[mw3demo]

Hey Merlin,

On the topic of the Trend Micro engine, does the firmware download signatures from Trend Micro onto the device and use those with a locally run process, or does it compare your traffic to a ruleset hosted on their servers? I.e. Is Trend Micro seeing all my traffic to keep me secure? If so, pretty big trade off vs privacy, especially for a home network user.

 

[RMerlin]

Hey Merlin,

On the topic of the Trend Micro engine, does the firmware download signatures from Trend Micro onto the device and use those with a locally run process, or does it compare your traffic to a ruleset hosted on their servers? I.e. Is Trend Micro seeing all my traffic to keep me secure? If so, pretty big trade off vs privacy, especially for a home network user.

It uses a local signature for some things (unsure what exactly, it's encrypted), but the bulk of the website validation is done by sending URLs back to Trend Micro's security server. Which is exactly the same thing your Internet Explorer does with Smart Screen, or both Google Chrome and Mozilla Firefox with their own malicious website protection.

Trend Micro isn't hiding anything there, there's even a EULA you have to accept the first time you enable AiProtection.

Signature-based security is on the way out. There is no way to provide adequate security with static signatures that are becoming far too big (a full signature update for Norton Antivirus 2014 sits at over 200 MB now), or updated too infrequently (even 4 hours is a very long risk window). Most security suites are leveraging the cloud these days to provide up-to-date security, and I expect this tendency to continue.

 

[mw3demo]

Hey Merlin,

Many thanks for the prompt reply, and additional incite regarding signatures, excellent point. I wonder if that applies to all the features though. You mention the example compared to browsers, I thought they work on the google-safe-browsing protocol? I.e. FF/Chrome downloads a list every 30mins or so and stores locally, and only communicate externally if you hit a website matching that local list to double check it's still on. Apart from that, your browsing is kept private.

Each one toggles the EULA, so I assume you agree to send some private data no matter which option is on. Agreed, they do present you a clear prompt to agree to the EULA, but its the same for all 3. I wish Trend Micro made it clearer regarding what info was shared regarding each feature instead of a one size fits all when they probably work differently.

On a side note, that's going to be a nice chunk of "Big Data" for them/other security vendors to gather long-term. Although the feature is off by default now, I wonder if it will be default enabled further down the line, and the current agreement merged into a large one on setup of the router. I am not saying Asus/Trend Micro is going to do this, but wonder if the industry as a whole might move towards it. As you mentioned, leveraging the cloud seems to be the tendency.

 

[RMerlin]

Hm. I always assumed Firefox/Chrome's checks were done remotely, considering how large the list of known malware sites must be these days.

 

[Nullity]

I assume encryption/HTTPS adoption will soon obsolete lots of these types of gateway antivirus firewalls.

 

[Cake]

It uses a local signature for some things (unsure what exactly, it's encrypted), but the bulk of the website validation is done by sending URLs back to Trend Micro's security server. Which is exactly the same thing your Internet Explorer does with Smart Screen, or both Google Chrome and Mozilla Firefox with their own malicious website protection.

Trend Micro isn't hiding anything there, there's even a EULA you have to accept the first time you enable AiProtection.

Signature-based security is on the way out. There is no way to provide adequate security with static signatures that are becoming far too big (a full signature update for Norton Antivirus 2014 sits at over 200 MB now), or updated too infrequently (even 4 hours is a very long risk window). Most security suites are leveraging the cloud these days to provide up-to-date security, and I expect this tendency to continue.

Anyone know the host, port or protocol it uses to communicate with the security server? For the paranoid like me.

 

[mw3demo]

Hm. I always assumed Firefox/Chrome's checks were done remotely, considering how large the list of known malware sites must be these days.

They did this is one way or another previously, but changed to local checks in the v3 of the new API about 6 months ago. Which I believe the latest FF/Chrome uses.

"The Safe Browsing API is an experimental API that enables applications to download an encrypted table for local, client-side lookups of URLs that you would like to check. In 2014, we published a new version (v3) of the Safe Browsing API, which adds features and efficiency improvements to the previous v2. The Safe Browsing API is used by several browsers, including Google Chrome and Mozilla Firefox. You can start using the Safe Browsing API v3 now."

"Safe Browsing API v3 advantages:

• Privacy: API users exchange data with the server using hashed URLs, so the server never knows the actual URLs queried by the clients.
• Response time: API users maintain a local cache of the hashed URLs in our suspected phishing, malware, and unwanted software lists; they do not need to query the server every time they want to check a URL."

Link: https://developers.google.com/safe-browsing/

I wonder if Trend Micro is using the same protocol, but pointing to their own safe browsing server vs Googles.