bought an ASUS AC-87U Router, do I still need an AV?

WOW Asus are such epic failures at Firmware. Turns out their latest firmware released on 2/16 TOTALLY BREAKS their URL/AiProtection! I tested this via multiple factory resets, and it simply broke it. If I revert to an older firmware, or go with Merlin, it works fine again.

Personally, I've lost any confidence I had in ASUS's software team, and will stick with Merlin now. I cannot believe they would break something as crucial as the AiProtection aspect. Do they not even bother to test?

 

OMG... confirmed, completely broken. A serious issue to report.

 

yes they have great hardware spoiled by lousy firmware. Thank god Merlin exists

 

Does the Merlin firmware fix the vulnerabilities patched by ASUS in the latest firmware?
EDIT: I think I found myself the answer, 378.51_beta1 seems to have fixed most of them.

 

Merlin is likely behind because of the massive BREAKING Asus did with the latest. Mortal, can you inform Merlin of this tremendously bad bug?

Bad firmware is common in the industry. You should see what I find broken in $100,000.00 Fortinet appliances, and sometimes things break with each firmware. The only company I haven't seen do a terrible job on Firmware has been ZyXEL believe it or not.

 

Bug reported, will keep you updated

 

It's not a bug, it's gross negligence from ASUS. Breaking the primary security feature of your flagship product is a travesty. They need to pull this Firmware immediately. Any poor soul that migrates to it effectively breaks their router. Do these companies TEST anything? The incompetence is astounding. I reported 2 major bugs to Fortinet this week, both are astounding, and escaped their development teams for - months? It's like these companies think this is the 1970's and software development is a new thing.

 

yeah and it's sad, not just them, there is no more quality control. One would think that at this day and age with all the great technologies, things go forward, I always find me preferring older products unfortunately/versions, they just work much better

 

I have found roughly a half dozen bugs in ASUS firmware. Many of which Merlin can't fix because they are close source. ASUS should hire Merlin to do their firmware, and pay him handsomely, and fire the clowns they have working on it now.. My delima is the router is very powerful, with powerful hardware, and a fantastic Trend system in it. I WANT to use it on my network, but at the same time I really want more flexibility, and less bugs. ASUS has a bug where you can't disable the DHCP server properly. You can show it disabled, but it will just assign static IP's to everything, and not actually hand off DHCP to another device. So in effect you can't place it behind a transparent bridge unless you place it in AP mode, so you lose all of it's features, including Trend. So ASUS can't sit behind ANY transparent device due to this bug.

I just built out a Pfsense box today and finally got it working. But it's a no-go on my network. It blocks way too much stuff, even with exclusions, similar to how SOPHOS crippled my network. For example my Smart-TV 'appears' to be launching a DOS attack on the network, it's not, but many UTM's think it is. Higher end devices like ZyXEL and Fortinet are smart enough to not block this, many OpenSource ones do. Then I spent a good while attempting to enter exclusions for War Thunder, and failed - a known issue with many games and Pfsense, and I had the same issue with Sophos.

Bottom line - I guess ASUS is really the best for home environments, has no yearly cost, and with Merlin firmware is a solid choice. I sure would like IPS features, and other things, but it is what it is...

 

Can you imagine if ASUS actually ships some units based on this firmware revision? There are a lot of regular users out there who never update firmware. This is disappointing.

 

That would be a disaster.. ASUS needs to have versioning where they have WHQL or GA style releases. Stable locations to 'stay' for awhile, and then beta versions in between. They seem to jump from a couple beta versions on to the full out public versions with some level of recklessness. Fortinet is hideous with Firmware. Imagine that, a company that big, with that much at stake.. I recently spent DAYS fixing VPN's on client Fortigates. Fortinet rolled out 5.2.0 and broke several aspects of their VPN configuration. Then there is the mystery of how they 'remove' features in FW updates, only to require CLI to turn them back on. Why remove them in the first place? As I said, sadly this isn't unique, and as devices become more complex, and have deeper feature sets, and configuration, expect this to get worse.

Mortal is right, this DNS feature of Merlin's stuff is really nice. I never thought I would care about it, but it is handy to simply change out DNS to one of the more secured ones by flicking a drop down menu. But the best part is the 'no filtering' bypass rules for DNS. So I can assign myself a DNS that allows porn, then give my kids one that blocks it.. This is a feature of many higher end NGFW's.

 

That DNS feature does sound interesting and practical. Merlin's programming skills have been well respected for some time now. It seems he ends up fixing the majority of ASUS firmware bugs and often shares those fixes upstream. Hopefully they compensate him well for keeping the firmware in check.

Also, great job Mayahana for finding out about the lack of AiProtection in this latest firmware and letting us all know. I would put my trust in Merlin at this point for sure.

 

Thx. That update has been up for almost 2 weeks - that worries me. Next step I guess, try an ASUS beta, and see if they fixed it.. My bets are - they didn't even know that the FW broke AiProtection, and hence, it's broken in all subsequent versions. Otherwise, why would they leave a totally broken FW up?!?!?

Has Merlin weighed in on FirmwareGate?

PS: I know because I run security audits on my network every Saturday. When the audit was able to push a few categorized malware domains I use to test reactivity - they slipped past. I know Trend has a DNA fingerprint on those domains, so this was alarming to me.. We all know the story from that point. Note(FYI): Every Saturday I run audits. Every Sunday I suicide from social media, and every 4th Sunday I change critical passwords.

 

Merlin is currently working on Beta 1 of Firmware 378.51 which now includes support for the AC3200 as well.

Can't wait till it reaches final stage.

Speaking of what do people who never upgrade firmwares do.......well,,,,the amount of negative reviews and returns of the AC3200 on Amazing reviews is a joke. lot of people returned it because it keeps disconnecting a lot. Who signs these products as ready to ship to people?? 0 quality control although the hardware is great on whitepaper, their drivers/firmware destroy it

 

Most consumers are potatoes when it comes to technology. So they don't upgrade Firmware, or even investigate how. I was paid $450.00 (what my company charged) to go to a Fortune 500 executives home and install FW upgrades on his Asus RT-AC87, and then run diagnostics/security audit on his network. But people without the coin to spend? I doubt they bother to ever even check firmware. That's part of the reason why people get compromised, infected, and hacked. Little regard for common sense computing.

 

I had to rebuild my Untangle NGFW and put it back online. My network came under such ferocious attack with the ASUS on it literally ground it to a halt. I do not believe the ASUS was capable enough to defend against what I need to be defended against. Once I rebuilt the Untangle, and got it back online, and locked down, we were back to normal. Many will recall when I had Fortinets and ZyXELs online I averaged 30,000 direct attacks a week on my gateway.

ASUS is back into AP mode, and it makes a remarkably good WAP, far better than many enterprise units I deploy, like the FAP221 and FAP223 units.

 

New firmware for RT-AC3200 v 3.0.0.4.378.4145

Changelog:

ASUS RT-AC3200 Firmware version 3.0.0.4.378.4145
Security related
- Upgrade OpenSSL library to 1.0.0q
- Upgrade TrendMicro engine

Modifications
- Adjusted Smart connect variable
- Modified QIS process
- Enlarged IPv6 ARP cache

 

Previously I used to get around 3 to 5 ms jitter and an overall C Grade on www.pingtest.net

with the new firmware, now the jitter is 0 and the overall grade is B. This router has a lot of potential this firmware came as a Savior to its initial buggy firmware which keeps disconnecting me and other clients!

 

New firmware for RT-AC87U with lots of improvements:

Version 3.0.0.4.378.4376
Description Asus RT-AC87U Firmware version 3.0.0.4.378.4376

Security related
- Upgrade OpenSSL library to 1.0.0q
- Fixed CVE-201301813
- Fixed the XSS vulnerability on page Main_Analysis_Content.asp

AiProtection fixes
- Fixed router reboot issue when disabled AiProtection
- Fixed kernel panic when wan reconnected
- Modified web history strings
- Updated signature to 1.030
- Optimize memory usage

Bug fixes
- Fixed IE9 compatibility issue
- Fixed NAT loopback issue
- Fixed abnormal SSH system log
- Fixed network map UI issues.
- Improved UDP performance

Other
- Added Movistar profile in IPTV setting page

 

That's not new, and that's the one that TOTALLY BREAKS TREND! I suspect the one you changed to also breaks Trend on your 3200..

 

I reported the issue to ASUS support. They answered that it is a know issue and that they have reported it to the headquarters in Taiwan.
Unfortunately, aside from this forum I don't see much interest from ASUS users to report this problem.

 

I expect the majority don't even know the problem exists, and quite possibly the majority aren't even on that version of firmware. Most people don't discover these kinds of things unless they actually use AND test the features. Turning on Porn block, then not testing porn sites every week seems to be a security lapse, and I think most users aren't really up on things. Anytime I update firmware I run through a series of tests to see what may have broke.

It's incredible to me Asus engineers didn't even test this firmware against any malware sites, or tick on the URL filtration, and try to surf porn? That's pretty pathetic to be honest. Which is why my ASUS (or ANY consumer grade router) will never be on my gateway as my sole security solution. Most of the life in our home is connected, and I won't trust my life, or my families on consumer grade gear.

 

Oh darn I thought is was new. For me though, I was desperately waiting for a firmware upgrade since the initial firmware disconnects me all the time I was on the verge of throwing it and buying an AC68U again but this came and saved me. I'd rather be connected than protected at this time.

PS: how to check if it breaks trend as u say?

 

For you, I think you are bordering on the skills needed to build your own firewall. Buy a cheap refurb dual core, toss Untangle on it, then place your ASUS in AP mode. ASUS routers in AP mode made better AP's then the $900 AP's we sell to clients. You'd be shocked at how granular you can get with a firewall distro, and Untangle is EASY, and doesn't drop pings at all.

That way you have IPS, AV, and URL scanning on your gateway, with insane control, and then your ASUS is a remarkable access point for super fast, reliable wireless. I think all of the issues with ASUS are crappy firmware, not hardware. When you turn it into AP mode, you basically disable 90% of the firmware, and utilize it in a virtual hardware mode. So NONE of the issues with it are going to bother you.

 

right, but with my small 1 bedroom apartment, I think that's too much, all I wanted was 1 router to do everything and give me a stable connection eveyrwhere with no drops and low pings. Now with this new firmware, finally I am there, if another new firmware drops that will fix what they broke that's even better.

PS: you never told me how to check if Trend Micro broke on my router since the release notes with this firmware update say "Upgrade TrendMicro engine" I wanna see