Seeker User Guide – Seeker DLP

Welcome to Seeker’s help documentation. Seeker’s purpose is to assist administrators in finding files that may contain sensitive or confidential information such as credit card data or social security numbers, so that unwanted or inadvertent storage can be dealt with before data is stolen.

Seeker was developed to fill the void between the excessively feature-packed enterprise DLP software available today at exorbitant prices and free offerings which are not adequate to the task of quickly and centrally providing concise reports on a company’s distributed resources.

Installation Requirements

Seeker Console
RAM: 8GB minimum, 32GB recommended for large file share scans.
CPU: Dedicated CPU(s) if running on VM. 16 logical CPUs (cores) recommended for large file share scans.
.NET Framework: v4.6.2

The Seeker console can be run on any of the following versions of Windows:

Server 2025
Server 2022
Server 2019
Server 2016
Windows 11
Windows 10

If SQL Server is being used for a back-end database, SQL Server 2019 or newer must be used.

Windows Targets

Windows targets scanned using the “Scan File Contents on Remote Windows Machines” option may also be any of the versions listed above. However, the minimum version .NET Framework version required on targets is only 4.0.

Mac Targets

Note: Rosetta must be installed on machines with Apple silicon.

macOS 15 Sequoia
macOS 14 Sonoma
macOS 13 Ventura
macOS 12 Monterey
macOS 11 Big Sur

Mac Account Access Requirements
Seeker requires an Administrator level account with remote login enabled. Additionally, this account will need to exist in the sudoers file with the NOPASSWD option on.
Example:
accountname ALL=(ALL) NOPASSWD: ALL

Network Access
The Seeker console must be able to reach targets on the service being scanned (e.g. TCP 445 for SMB file shares). Additionally, Windows targets being scanned with the “Scan File Contents on Remote Windows Machines – Executed on Remote Hosts” option must be reachable by the scanner via RPC (TCP 135, 1024-65535), and SMB (TCP 445). The scan target machines must also be able to reach the console server on TCP 443 to send results back over TLS. Important: This means that the Seeker console’s host and perimeter firewalls must allow TCP 443 inbound from the networks of the scan targets.

Additional Recommendations
Older versions of Windows without Office installed may not have IFilters that increase scanning accuracy installed. For this reason, the Office IFilter pack is packaged with the Seeker installer and should automatically install with the console in those situations.

The Microsoft Access Runtime, which includes the Access Connectivity Engine (ACE), is also packaged with the Seeker installer and can increase accuracy with scanned Access database files. This should also automatically install with Seeker if it is not already present.

Windows target systems scanned with the “Scan File Contents on Remote Windows Machines – Executed on Remote Hosts” option that do not have the x64 version of Access installed will benefit from greater accuracy on scans of Access databases if they have the x64 Microsoft Access Runtime installed.

Getting Started

To Run Seeker:

Depending on the operating system, go to the Apps Screen and choose Seeker, or go to the Start Menu and chose the Seeker group, then choose Seeker. You should now see the Seeker console window.

How to Search for Data

Seeker is designed to make the process of scanning a typical organization’s Windows environment easy. Therefore, options are provided for enumerating targets using Active Directory. Seeker also lets an administrator browse for a root folder (local drive or network path), manually add computer names or IP addresses, or provide a CSV file containing target names.

Selecting Scan Targets

To Select Targets by Active Directory OU and/or Computer Account:

On the Targets tab of the Seeker console, click the “Browse Active Directory to Select OUs and/or Machines” button.
Use the tree view to navigate through your domain’s structure and select any OU and/or computer objects you would like to have included in the scan. Multiple selections are possible using the control (non-consecutive items) and shift (consecutive items) keys.
Returned results can be filtered by prefix or substring. For example, if you only want the computers beginning with “finance-“, then enter “finance-” into the text box next to “Return Only Machine Names Beginning With:”.
Press the “Return Machine List” button and you will be returned to the Targets Tab of the Seeker console, with all the selected matching objects populating the “Potential Scan Targets” list.
Select all of the potential targets that you confirm as desired objects to scan from that list (they are all selected by default after being returned from Active Directory) and press the “Add” button to add them to the “Confirmed Scan Targets” list.

To Select Targets by Membership of an Active Directory Group:

On the Targets tab of the Seeker console, click the “Select Active Directory Group with Targets” button.
Type in the group name, and press the “Validate Group Name” button to verify it exists. If it does, you will see a “Validated” message.
Press “Add” and you will be returned to the Targets Tab of the Seeker console, with any computer accounts in the group you specified populating the “Potential Scan Targets” list.
Select all of the potential targets that you confirm as desired objects to scan from that list (they are all selected by default after being returned from Active Directory) and press the “Add” button to add them to the “Confirmed Scan Targets” list.

To Browse for a Network or Local File System Folder to Scan:

On the Targets tab of the Seeker console, click the “Browse for a Root Folder to Scan” button.
In the file browsing window, navigate to the path you would like to scan. You can also type it in the address bar at the top.
Press “Select Folder” and you will be returned to the Targets Tab of the Seeker console, with your path in the “Potential Scan Targets” list.
If your path looks correct, press the “Add” button to add it to the “Confirmed Scan Targets” list.

To manually enter a UNC Path, Machine Name or IP Address:

On the Targets tab of the Seeker console, click the “Add Single UNC Path, Machine Name or IP Address” button.
Enter your desired path, computer name, or IP address in the text box and press the “Submit” button.
Press the “Add” button to add it to the “Confirmed Scan Targets” list.

To Use Targets from a CSV File Generated By Another Program:

On the Targets tab of the Seeker console, click the “Browse for File Containing UNC Paths/Machine Names/IPs to Scan” button. Potentials Targets in the file will be added to the “Potential Scan Targets” list in the Targets tab of the Seeker console.
If the potential targets look correct, press the “Add” button to add them to the “Confirmed Scan Targets” list.

Choose Scan Type:

Select a target type from the radio button list at the top right under “Target Type”. Based on the target type, a subset of options will be available under “Scan Subtype”. No options will be available under subtype if “MS SQL”, “MySQL”, or “Websites” is chosen for scan type.

Defining Search Patterns:

To define the patterns for which you wish to search, select the “Search Patterns” tab in the Seeker console. You will see the default list of Patterns included with Seeker on the list. Each will have a Name, Regular Expression (“Regex”) and, where applicable, a validator. Validators included with Seeker can be used for SSNs, credit card numbers. Optional “companion regexes” can also be included. They are patterns which must appear in proximity to the main regular expression in order for a match detection to be registered. Companion regexes are ideal for pairing with patterns which may otherwise yield false positives. An example would be medical record numbers which are 8 numerical digits long, but would virtually always appear near a string such as ‘MRN’. Requiring the companion regex of ‘MRN’ would eliminate virtually all false-positive 8 digit numbers that might otherwise be detected and appear in your report.

Basic Scan Settings:

Your scan type, filters, and alerts, as well as the file extensions you would like to scan, can be set on the Basic Scan Settings tab. Logging settings can also be set on this tab.

Select File Extensions to Scan:

Under “File Extensions to Scan”, extensions can be added and deleted. All selected extensions will be removed when the delete button is used to eliminate file types.

Set Name/Path Filters:

Any strings added to this list will not be scanned when encountered.

Set Name/Path Alerts:

Any strings added to this list will generate an alert in the report when encountered.

Log Alert based on a file’s Permissions:

If a file’s NTFS permissions include an entry for a group in this list (such as “Everyone”), an alert will appear in the report. Groups/users can be added as desired.

Set Logging options for Report:

“Data to Log for Report” allows you to specify whether to show multiple matches or a single match within a file with more than one match for a given pattern. It also allows you to specify whether you’d like to display only the last four digits in the case that you’re using a SSN or CCN validator for the pattern.

Set Scanning Options for Access Databases:

“MS Access Databases” options allow you to limit scanned rows per table for performance reasons. Also, you may specify a maximum number of errors in a DB to tolerate before ending the scan of the file.

Saving, Loading and Deleting Target Lists

Select File from the menu bar in Seeker. Scan target lists can be saved, loaded, or deleted using the “Save Scan Targets”, “Load Scan Targets”, and “Delete Scan Targets” items, respectively. Saving a target list can be useful if you are scanning a set of computers not easily delineated by Active Directory OU or group, and you wish to avoid the time investment of re-compiling the list each scan.

Note that you also can separately use text files you have created elsewhere with the “Browse for File Containing UNC Paths/Machine Names/IPs to Scan” button on the Targets tab in Seeker. These files must have a single target per line.

Saving, Exporting, and Importing Scan Configuration

To Save Your current Scan Configuration

Select “File” from the menu bar and click “Save Config”. The next time you open Seeker, your current configuration settings should be in place.

To Export Your Current Scan Configuration

Select “File” from the menu bar and click “Export Config”.
Browse to the path where you wish to export your configuration settings.
Enter a name for the file in the text box at the bottom of the window.
Press the “Save” button.

Your configuration settings have now been exported into an XML file that can be used by other accounts or machines running the Seeker console.

To Import Scan Configuration Settings from a File

Select “File” from the menu bar and click “Import Config”.
Browse to the path with a Seeker-generated configuration XML file from which you wish to import your configuration settings.
Press the “Open” button.

Your configurations settings in Seeker should now be in line with those from the XML file you selected.

Restoring Default Configuration Settings

To Restore the Default Installation Scan Configuration:

Select “File” from the menu bar and click “Restore Default Config”. Your settings should now be restored to the installation defaults.

Saving and Loading Scan Results

Scan results are automatically saved to Seeker’s database and can be loaded at any time using the File menu / Load Saved Scanned Results.

Scheduling a Scan

Once you have chosen all settings and targets for a scan, you may opt to run the scan on a schedule.

To Schedule a Scan
With all settings and targets for a scan specified, press the “Schedule this Scan” button on the “Targets and Scan Type” page or alternatively, on the “Scheduled Scanning” tab, press the “Add Scheduled Scan with Current Properties” button.

New in Seeker 2.X: After you click “Schedule this Scan”, Seeker prompts you to choose the target type for the job. Select “Static Target List” list to scan the exact hosts shown in the Scan Targets list in the main tab, or select “Dynamic Target List” to have Seeker query an AD Organizational Unit each time the schedule runs.  When the Dynamic option is used, the target list is rebuilt at run‑time—devices added to or removed from the OU are automatically included or excluded—so you never have to edit the schedule to keep it current.

On the “Create Scheduled Scan” window that opens, specify a scan name and frequency from the options provided and then press the “Schedule Scan” button.

A “Provide Credentials for Scan” window will appear. These will be the credentials given by the scanner to the target of the scheduled scan. Selected the account to use and press “Submit”.

A “Scheduled Task Credentials” window will appear requesting the password for the current account running Seeker. This is necessary for Windows Scheduled Task creation for any task running in a user context (as Seeker does) and must be provided for a task to be scheduled.

Scheduled scan results can be retrieved in the GUI after completion. This is done through the same method used to retrieve previous scans run in the GUI (using the File menu / Load Saved Scanned Results).

To Edit a Scheduled Scan
After a scheduled scan has been created, they may be edited by name in the “Scheduled Scans” tab, as shown below.

You may change the credentials used for scanning, and the credentials used on the scheduled task with the leftmost two buttons in the scan’s row (remember that if the password for the account running the scheduled task changes, it would be necessary to update the scheduled task’s password to match).

The “View/Set Schedule” button can be used to change the frequency at which the scheduled scan runs.

The “Load Targets/Settings” button for a particular scan will bring all the targets, settings, and selected patterns for that scan into the “Targets”, “Settings”, and “Search Patterns” tabs. Similarly, the Save Targets/Settings button will save the current values in those tabs into the scheduled scan’s properties.

The Export button allows a you to set a path to which results for the scheduled scan will always be exported. When exported, if your desired export path is c:\your\export\path and your scan’s name is AccountingFileShares, the scan will be exported to c:\your\export\path\AccountingFileShares-YYYY-MM-DD-hh-mm-ss.xlsx, where YYYY-MM-DD-hh-mm-ss represents the exact time the scan was run.

To Run a Scan from the Command Line

Any scan configured as a scheduled scan can be run from the command line at any time. In your seeker installation directory (such as C:\Program Files\Seeker LLC\Seeker 1.5), the seekcl.exe executable can be run to perform this action. If the scan you wish to run is called AccountingFileShares, and your desired export path is c:\your\export\path, use the syntax:
seekcl AccountingFileShares -e c:\your\export\path

As with your scheduled scans, the scan will be exported to c:\your\export\path\AccountingFileShares-YYYY-MM-DD-hh-mm-ss.xlsx, where YYYY-MM-DD-hh-mm-ss represents the exact time the scan was run.

Managing Exclusions

In the process of sensitive data discovery across file shares, computers, database servers, and other sources, there will inevitably be instances where you encounter false positives or items that are essential for business operations. The exclusion management feature in Seeker allows you to efficiently handle these situations by excluding specific items from future scans.

Excluding Items

To exclude an item from future reports:

Identify the Item: In the Seeker report, locate the file path or database table, or the respective hash value, that you wish to exclude.
Open the Manage Detection Window: Click on the identified path or hash. This action opens the ‘Manage Detection’ window.
Specify Exclusion Criteria:
- Check the box next to the item type you want to exclude (path, hash, or both).
- Select the reason for exclusion from the dropdown menu (e.g., ‘False Positive’).
Confirm Exclusion: Click the “Exclude from Future Reports” button. Once confirmed, the selected item will not appear in reports for any subsequently performed scans.

Managing Current Exclusions

To view or modify your current exclusions:

Access Exclusion List: Navigate to ‘Data -> Manage Exclusions’ on the menu bar of the main Seeker application window. This section will display a comprehensive list of all excluded items.
Manage Exclusions:
- Review the list to confirm or reassess your exclusions.
- To remove an item from the exclusion list, click the ‘Delete’ button next to it. This action will reinstate the item in future scans.

Selecting & Migrating the Back-End Database Type

New in Seeker 2.X: Seeker can now store its data in either the default SQLite database or a Microsoft SQL Server database. To move to SQL Server, Open Data → Select Back‑End Database Type, choose SQL Server, and enter the server name or IP (and port, if non‑default). Leave Migrate Existing Data When Changing Type checked to copy all tables and records into the new back‑end in one step. You can press the Test Connection button to verify connectivity, and Apply to change type (and migrate data if the option is selected). The first user performing the switch (the account running Seeker at that time) must have permission to create the SEEKER database and its tables; afterward, users only need read/write rights on those tables to work with Seeker. You can revert to SQLite at any time by returning to this dialog and selecting Default SQLite—the same migration prompt appears so nothing is lost.

Note that if SQL Server is being used for a back-end database, SQL Server 2019 or newer must be used.

Compacting SQLite Database to Save Disk Space

New in Seeker 2.X: If you are using SQLite as your back-end database, Seeker now includes a Compact Database option that reclaims unused space and shrinks the SQLite database file. From the menu bar, simply open Data ▸ Compact Database (SQLite) to shrink your .db file.