Trend Deep Security - Consumer Routers

Discussion in 'other anti-malware software' started by Mayahana, Oct 11, 2014.

  1. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I've been experimenting with Trend Deep Security for a few weeks now. It's bundled with the ASUS RT-AC87 router. It's essentially the enterprise Deep Security inspection aspects of Trend.

    http://www.asus.com/us/Networking/RTAC87U/

    One aspect of the router is it uses Trend's 80-85% detection rate HTTP/HTTPS scanner. Very effective, but I think that is neglecting the behind the scenes aspect of the TDS system. I have been testing the TDS system response, and adaptability over the last few weeks and I am extremely impressed. Allow me to explain..

    Last week I started going to CleanMX to get trojans to test Norton 2015 after I evaluate to see if they are real trojans. When I first started going to CleanMX Trend (on the ASUS) would rarely flag anything, probably only 25% of anything I clicked. As the hours progressed I noticed Trend flagging more and and more on CleanMX. Yesterday I noticed that it picks up 100% of every link on CleanMX, I simply cannot force anything past the router at this point from CleanMX. I do not profess to know how TDS works, but it's clear that the 'intelligent' malware patching system works as intended, and this can be tested by anyone. Based on this it appears that TDS saw a lot of malware links coming through my system, and now scrapes anything on CleanMX in realtime. It effectively enhanced it's own database to a level of 100% of malicious links on CleanMX.

    Thoughts? To me this is remarkable.. While the 'initial' few got through, it was a matter of hours until Trend started scraping every current and future link on CleanMX.. How else would this be explained? I am going to test it with another malware link hosting database and reproduce it. If that's the case it means as more and more people get higher end ASUS routers, and get on TDS that our protection levels as a group are going to go up substantially.
     
  2. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    433
    Location:
    Hengelo
    Trend Micro has copied a part of our HitmanPro.UTM system, available in Sitecom's routers since 2011. It's what we call the fingerprint loop. Trend Micro's approach in consumer routers only works for URLs, as it is not blocking threats by analyzing the downloads or payloads itself on the local router. HitmanPro.UTM also performs deep packet inspection on the local router and blocks variants of malware as well, which also offers better protection if you are the first or only person visiting a link. We have a patent for it: http://www.google.com/patents/EP2501099A1?cl=en

    Sitecom Cloud Security (our HitmanPro.UTM): https://www.sitecom.com/en/sitecom-cloud-security/347
     
    Last edited: Oct 12, 2014
  3. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    So is Trend infringing or are they licensed?
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
  5. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
    It's a monster of a router. If they can get the price down or offer a little brother version (by reducing the hardware specs a bit while keeping the Trend security) I'd get one straightaway.
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    ASUS will be implementing Trend-DS as part of other models, and lower end models as manufacturing ramps up. RT-AC87 is a monster - I agree, which is why I bought it. It's the most powerful consumer router in the world right now. Sitecom, while interesting, isn't an option for North America for a variety of reasons, the least of which is there isn't a North American Reseller of it, and Warranty, FCC, and other considerations. Right now for the consumer that doesn't want to program complex enterprise UTM devices, the ASUS is the best option.

    Well I guess we can say Trend's Fingerprinting in ASUS routers work. I cannot infect a machine on my network anymore from *ANY* of the malware hosting websites.. LOL! Even though Trend-ASUS isn't a malware scanner, with the DS system they have in place it seems to offer a remarkable front-door protection. According to PC-Mag, ASUS-Trend offers 80-85%+ protection from malware, that's before fingerprinting. I can say from my tests on CleanMX it's 100% after it has completed fingerprinting. Here is what I find very cool: If anyone on this board gets the ASUS-Trend router they will see I've already fingerprinted all of the malware distribution databases. As a geek I find that awesome. I just clicked on every single malware link on CleanMX that was posted in the last few hours, and Trend blocked every one. Even Zero-Day ones.
     

    Attached Files:

  7. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    433
    Location:
    Hengelo
    No they are not infringing as Trend Micro is not performing real antivirus on the router - their's just a URL filter.. Our patent is about deep packet inspection, analysing binary downloads, on a consumer router with a real-time cloud-residing database.
     
  8. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I just finished fingerprinting 4 more malware link databases. That should help everyone. :isay:
     
  9. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I'm interested in if Trend DS can be implemented in a router other than ASUS one.
    It's just how Trend's SPN reputation system works, isn't it?
    If you download a malware from a link, then not only the linked site's rep but also rep of hosted site and all downloads from those sites fall.
    If the malware can be downloaded from other source, e.g. from an spam mail or from other sites, then their sender/IP/domain's rep fall, and if those sites already have bad rep then it affects all other relations they have.
    Some files include URLs in their binary, and if those site's URL found in a file, then the file's rep fall.
    Examples go on.

    In the past Trend sent lots of bots to a site where a Trend user visited to see whether the site is good or bad.
    But this system bothered some web-masters so I assume they made some change.

    One thing I wonder is why they didn't do well in the first time, for I myself sometimes use those links with Trend's gateway product (usually for corporate) so they should already know what CleamMX is before your tests.
     
  10. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Not exactly as they also have signature-based Network IPS, though still limited compared dedicated appliance which Trend made for DS as it also has advanced sandbox scanning.

    Also note that Trend's URL reputation not only works reactively, but also proactively.

    BTW actually consumers still have other options if they have unused old computer.
    There're several free UTM OS such as Sophos, Untangle, Endian, Redwall, BrazilFW, and GB-Ware.
    Sophos require 2 NIC, but most others can be used 1 NIC with added LAN port.
     
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
    I would do this if my only old PC wasn't so big and loud :) Even then I would want to integrate WiFi. It would be easier and maybe more cost effective in the end to throw down for the ASUS RT-AC87. For now I'm going to wait a little and see if UTM features trickle down.
     
  12. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I agree, to classify it as merely a 'url scanner' is inaccurate, and I stated that in the other Trend threat. Advanced IPS through the cloud w/virtual patching, as well as sandboxing is very evident if you test it. Thanks for the detailed explanation.
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    I have a Netgear Prosecure UTM 25. It has worked well for me, but it was a bit expensive. It's good to see home users have more hardware options now that were only available for the business market several years ago.
     
  14. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    UTM25 is EOL though, how are you getting signature updates for it's Sophos?

    But I agree, now with powerful UTM's under $500, things are getting much better. USG60 I think is the best-in-class for $400 range in terms of raw protection/detection. But with ASUS pushing out UTM solutions for consumers, we should start to see significantly improved internet security in the home. ASUS RT-AC87 is powerful, but at $249 it's still not viable for many homes. Supposedly the Trend DS will arrive for some cheaper models at some point. The best part is these don't require a subscription for the UTM features.
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    Yes, the AV is Sophos. I paid for a 3 year subscription when I purchased the appliance. I'm not currently using the appliance, but I still have it. I had some health problems which caused me to pack up everything I had, and put it in storage. I had a year remaining on my subscription when I did that. The subscription has run out now, but I plan on renewing it once i'm in a position to do so. There is a possibility of me switching to something else if I can find something that performs well, and is considerably cheaper. I'm switching career paths now, and it's been difficult to find work in such a bad economy.
     
  16. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    So to be clear: TrendMicro is NOT licensing HMP UTM?
     
  17. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    433
    Location:
    Hengelo
    No they have not licensed our technology, otherwise they would have had a much more complete approach instead of just the URL filter which is not much different than Microsoft SmartScreen.
     
  18. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    @markloman
    No, it's not just the URL filter and very different than SSF.
    See post #10, it has NIPS.
    I admit HMPA is more proactive when it comes to exploit, but it's no relevant here, and NIPS can block 0day exploit as long as the vulnerability is reported to Trend.
    Yes, if the product combine antimalware scanner it'll be more complete.
    Currently only corporate user can use advanced sandbox scanning but I think it's reasonable as it consumes lots of resources & time (sometimes more than 30 min) for analysis, and also consumer will rarely be targeted by advanced malware.
    It's not recommended to use the product alone, user should use AV or other software on each computer.
    Also while Microsoft SSF's reputation is quite immature, Trend is more mature and can block even previously unknown website.
    It's better to distinguish URL reputation from URL filter as you can't blacklist unknown site but can calculate it's reputation.
     
  19. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    It's very mature, and is built on the back of an expansive enterprise solution. I would say it's a very 'competent' layer to security, a great set of locks on the front door. A major bonus is there are no subscription fees or renewals, that's actually a huge bonus. According to some testing, Trend ASUS blocks 80-90% of all known and unknown malware delivery mechanisms. Rubenking said it was the most effective in this area. Now added any old antivirus to a machine, and you are pretty much set for protection. Speed is another big bonus, as the throughput is astounding these upscale ASUS routers with Trend. Trend signed a deal with ASUS to get Trend 2015+ (great package) bundled with all ASUS Computers and Devices. As part of the deal Trend provides ASUS routers with this protection for free, for life of the product. Trend also benefits by getting 'millions' of new devices out there, fingerprinting malware/websites so the entire product - in realtime - grows stronger by the day.
     
  20. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I have a Fortinet 90D, ZyXEL USG60, and Juniper SSG sitting at home but have elected to use the ASUS RT-AC87 simply because it's so powerful. The Wireless Coverage is insane, the speeds are amazing, and the parental controls are very robust - and Trend seems to do the job on it. I have debated switching back to a dedicated UTM appliance, but I always regret it because I want maximum speed. Even high throughput UTM appliances can offer some level of 'drag' in some way. For example flow vs proxy scanning, and once you crank everything up for maximum protection you can stress the throughput when spread over multiple clients, or dozens of clients. ASUS RT doesn't have this issue, it's setup for maximum power/speed, while offering good security.
     
  21. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
  22. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    This is part of Trend's deal with ASUS. Trend comes pre-installed on all ASUS computers, and Trend benefits by having their Trend Deep Security Fingerprinting on millions of consumer routers, thus improving their detection engine and cloud scanning. It's a win win, especially for consumers!
     
  23. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Their DPI tech is quite interesting, as they also leverage it to do QoS too (which by the limited reports I have read, works really well), all whilst being compatible with certain levels of hardware acceleration of NAT that traditional rule based traffic monitoring (be it for QoS or filtering) are not compatible with.
    Looking forward to getting this tech on my AC56U.

    Cheers, Nick
     
    Last edited: Oct 28, 2014
  24. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    433
    Location:
    Hengelo
    Just for clarity, it's not DPI (Deep Packet Inspection). Nonetheless, it's a nice feature.
     
  25. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
Loading...