Jonathan Hilgeman

Everything complex is made up of simpler things.

Archive for May, 2016




Quick Summary

One of the best investments I ever made was to pony up a few extra bucks over a decade ago to buy the lifetime license for UltraEdit. It’s lightning fast, has more features than a dozen Swiss army knives, has fantastic, responsive and personal support (no outsourced tech support that claims their name is “Ken” and only responds with canned messages), and is just a an all-around fantastic editor for anything text-based (code, XML, etc).

All the basic stuff you’d expect from any decent code editor is in there (syntax highlighting, expandable/collapsible sections, bookmarking lines, etc…), but UE takes it many steps further.

Do you work with XML documents often? Use built-in tools to navigate through XML documents easily, quickly and reliably reformat / prettify them in a click, and more!

Need to edit or view a document in hex? Just hit Ctrl+H to toggle between the views (it auto-defaults to hex for binary files).

Need support for different character sets or want to convert between them? It’s a matter of selecting the desired character set from a dropdown.

Did Windows blue-screen while you were editing a document? No worries – UE keeps draft copies automatically and recovers them for you on the next startup.

Want to edit in columns (e.g. add a comma before 1000 lines all at once)? No problem – switch to column edit mode.

Need powerful search-and-replace functionality that works with different regex engines and also supports filesystem searches? UE’s got that.

Need macros? Not a problem, and hotkeys make it a breeze to do quick recording and repeated playback. There’s a full macro editor for more advanced functionality.

Want to define your own custom commands? Easy.

Want an ASCII table? Yeah, that’s built in.

Need integrated SFTP, SSH, and similar file transfer support? Yeah, that’s also built in so you can edit a file, hit save, and have it auto-upload.

Need to edit HUGE, multi-gigabyte files? No problem.

Need easy-to-navigate file tabs? That’s a default.

Want to compare two files? That’s built in, and it’ll even guess the right files you want to compare based on filename similarity!

And there’s a lot more not covered here, and even more getting added with every version. It’s an absolutely fantastic editor.

Yes, you can get SOME of this via some open-source editors like Notepad++ and I have to use some of those editors on client machines sometimes. There’s just no comparison in terms of how refined UltraEdit is compared to other editors. This is a tool that would be extremely difficult to live without on a day-to-day basis.

Unfortunately, I don’t think they offer lifetime licenses anymore, but it’s well worth the money to own a copy of this if you’re a developer.

Security Task Manager



Quick Summary

When I’m checking out a system for malware, one of my first stops is to install Neuber’s Security Task Manager. I came across this little gem several years ago, when a client asked me to investigate the “Case of the Missing Space”. Basically, their drives were constantly losing free space, and none of the regular tools like TreeSize were able to determine where the massive amounts of used bytes were, and the regular task manager wasn’t showing any weird activity, but the server was acting very strange.

I finally came across Security Task Manager and gave it a go on the server. It instantly picked up a stealth process that was running Java. The process had created folders that were invisible and serving up German pirated movies via FTP. Using that information, cleanup was a snap!

What Does It Do?

The app basically does a thorough analysis of running programs and rates their risk based on behaviors (e.g. invisible windows, ability to record keystrokes, etc…) and also takes publisher information into account (e.g. core Windows processes that “act” suspicious aren’t thrown to the top of the list) and also community-based ratings. It’s still up to you to determine whether or not a process is malicious or not. There are many valid processes (e.g. MySQL server, some browser plugins, etc) that will get rated as risky, but are safe.

However, it’s a great way to quickly get a snapshot of the riskiest running processes in the system, including processes that might be hidden from the normal Windows task manager.

Comodo Internet Security Review


Quick Summary

For the past year, I’ve been tight with Comodo Internet Security Pro. I have it on just about every box I own, including my wife’s computer and my parents’ computers. It’s done a fairly good job so far and has some well-rounded features (stateful antivirus for better performance, behavior-based protection, auto-sandboxing of new and untrusted apps, a comprehensive default list of trusted software publishers, a firewall, etc…). Like pretty much all security software, it does the whole “Do you want to allow X to do Y?” messages that are sometimes cryptic, but the “Trusted Vendors” list keeps those messages to a minimum, which makes it a good option for keeping my less-technical parents safe.

Real-World Example of Ass-Saving

I don’t have a lot of risky behavior online and I keep Java and Flash patched, but I do get a LOT of spam, many of which are laden with viruses. I know that all it takes is a thoughtless double-click to open something I didn’t intend to open and be flooded with additional malware. After about a year of virtually no incidents, that’s exactly what I did two days ago. I was sorting all the junk into the spam folder and had one of those moments where the computer freezes up for just a few seconds but “remembers” your mouse clicks, so I ended up opening a CLEARLY malicious executable on a spam message.

I saw an AutoIt (a generic automation / macro package that’s frequently used for malware) icon appear in my system tray and in a panic, right-clicked it and chose “Exit” in the context menu. The icon went away, and for about 3 hours, I was in panic mode, reviewing every process, running Security Task Manager, checking Process Monitor for any strange disk activity, and so on, but nothing seemed strange, which was strange in itself. Comodo had not thrown up any warnings about anything, so I opened it up and saw that it had detected the unsigned application’s attempt to execute and had sandboxed, effectively neutering it.

Less-Than-Great Detection

Interestingly enough, it didn’t detect any viruses (probably because it was a packed executable / trojan dropper), even when I saved the file separately and ran it through the scanner. I then ran the file through VirusTotal and only a dozen or so of the scanners picked up anything wrong with it (including Kaspersky, which may be my next choice for 2016 protection, given its high detection ratios).

I grabbed a few more virus samples from my spam folder and ran them all through Comodo’s antivirus, and it didn’t pick up ANY of them, although virtually all of them were detected by other scanners in the VirusTotal results, several of them Locky variants of ransomware installers. I submitted each of them to Comodo, and the next day, I got a Comodo definition update that detected the files.

So on the bright side, the auto-sandboxing feature is likely to be effective against many zero-day threats, but I don’t like that Comodo didn’t at least RECOGNIZE the various pieces of malware, and I really don’t want to be the person that’s blazing the way for Comodo’s definition updates.

Trusted Vendors and Auto-Sandboxing = Bane of Software Developers

Given that I develop a lot of software and I don’t normally digitally sign any of the executables, Comodo ends up auto-sandboxing my programs every time I update them, which is REALLY annoying (it’s only a good thing when it sandboxes BAD programs). Each time, I have to open up a new options window, change the file to “Trusted” and click on OK, which takes a good 15-20 seconds before it saves, and then I have to restart my program. So I figured I would simply use my own certificate authority to generate a code-signing certificate and I’d add it to the “Trusted Vendors” list in the Comodo program (they have a feature to do this).

Apparently, that process is just broken and HAS been for years (based on what I’ve seen in the Comodo forums). So even after I added a completely legitimate digital signature to my application, Comodo still didn’t recognize it as a signed executable.

Comodo has a “GeekBuddy” live support option and a community forum (with the WORST Captcha implementation EVER – I’m surprised ANYONE was able to register), so I asked their “GeekBuddy” reps about it. I ended up getting canned, moronic responses. Here’s the gist of the entire conversation (leaving out stuff like account verification):

01:13:15 AM client : Every time I try to add the file to the trusted vendors list, it says it’s an invalid file
01:14:51 AM Derrick : Thank you, please give me a moment to check your account information..
01:15:45 AM Derrick : In the comodo settings under file rating please add the files to trusted

01:18:30 AM Derrick : I understand that you need help in adding file in comodo as trusted. Do not worry, I am here to help.

01:23:35 AM Derrick : Please wait
01:27:15 AM Derrick : Please send an email to so that they will analye the file and they will add the file to trusted
… <ensuing explanation that it signed via my personal CA, not a public CA, but he doesn’t seem to understand> …
01:27:54 AM client : I just want my own digital signature only on this computer to be recognized by Comodo

01:28:58 AM Derrick : Thats will not be possible
01:29:35 AM client : why not? The certificate is trusted on my computer
01:29:51 AM Derrick : Thats the only option can be done (referring to sending in my application via email)

01:32:12 AM Derrick : See if it does not digital signature you will not be able to add the file
01:32:19 AM client : it does have a digital signature
01:32:23 AM client : I can show you the digital signature
01:32:44 AM client : you can see it on my screen right now (screen-sharing session)

01:33:30 AM Derrick : Send the file to that email so comodo will analyze will add the file to trusted …
01:34:57 AM client : I am supposed to be able to add a digitally-signed executable to the trusted vendor list, right?
01:35:36 AM Derrick : But the file says its not digitally signed
01:35:43 AM client : it IS digitally signed
01:35:49 AM client : look at my screen
01:35:58 AM client : the digital signature is on my screen right now
<at this point, he takes control and looks at the digital signature dialog box and fumbles around, at one point clicking on the Install Certificate button, pausing, and then backing out of it, and then abruptly stops>
01:39:10 AM Derrick : Please stay connected let me transfer you to one of my technician since my shift has ended

   His shift ended at 1:39 AM? At this point, Derrick just abruptly disconnects and I’m connected to a different agent, Ken.

01:39:30 AM client : really?
01:39:35 AM Ken : Welcome! This is your buddy Ken. I will be assisting you today!
01:39:59 AM client : Hi Ken …
01:40:58 AM client : I have a digitally-signed executable
01:41:13 AM client : the signature comes from an internal certificate / internal CA
01:41:22 AM client : my computer has all the proper trusts set up
01:41:40 AM client : but when I try to add the executable to the Trusted Vendor list, it says it is not a valid signed executable
01:41:59 AM Ken : I understand that
01:42:05 AM client : I have the digital signature window up on my screen
01:42:36 AM Ken : I do understand this, you need to send this file to us, our developers will validate this file

At this point, I just gave up, but that’s what you can expect from Comodo’s GeekBuddy service. Not really impressive.

To be fair, there are a variety of ways of classifying certain folders as “trusted” so I could theoretically add a folder for each of my programs, but that’s just a pain and doesn’t really make a whole lot of sense when there’s a feature that would work better IF it worked as it should. Unfortunately, the folder-trusting mechanism isn’t recursive, so it won’t automatically trust files that are in sub-folders. Most developers are aware that development work often leads to elaborate folder structures for projects, compiled output, source control, etc…

Plus, if malware got its way into one of those folders, then it would incorrectly be trusted, which would be a Really Bad Thing. So relying on digital signatures is far better, but only if it actually lets you import your own.

The Final Word

The auto-sandboxing thing is really great for protecting everyday users, since those users are less likely to stay updated. That alone makes this product great for a lot of people. However, if you’re a more technical user (e.g. software developer, or a person that runs a lot of unsigned tools), CIS might make things harder than you need them to be.

Based on various reviews, I’ll be trying WebRoot’s SecureAnywhere next (seems effective and lightweight since it’s based on behavior), along with Kaspersky (which I’ve tried before, but we’ll see if it’s made any good progress in the past few years).