Gone in 60 Minutes: Stealing Sensitive Data From Thousands of Systems Simultaneously with Open DLP

Video thumbnail (Frame 0) Video thumbnail (Frame 789) Video thumbnail (Frame 1774) Video thumbnail (Frame 2920) Video thumbnail (Frame 3629) Video thumbnail (Frame 4281) Video thumbnail (Frame 4825) Video thumbnail (Frame 6689) Video thumbnail (Frame 7605) Video thumbnail (Frame 8275) Video thumbnail (Frame 9144) Video thumbnail (Frame 10519) Video thumbnail (Frame 11655) Video thumbnail (Frame 12571) Video thumbnail (Frame 14847) Video thumbnail (Frame 15384) Video thumbnail (Frame 16160) Video thumbnail (Frame 16765) Video thumbnail (Frame 17356) Video thumbnail (Frame 17980) Video thumbnail (Frame 18500) Video thumbnail (Frame 19813) Video thumbnail (Frame 20676) Video thumbnail (Frame 21220) Video thumbnail (Frame 21961) Video thumbnail (Frame 23220) Video thumbnail (Frame 23767) Video thumbnail (Frame 24532) Video thumbnail (Frame 25085) Video thumbnail (Frame 25713) Video thumbnail (Frame 26799) Video thumbnail (Frame 27329) Video thumbnail (Frame 28297) Video thumbnail (Frame 29006) Video thumbnail (Frame 30459) Video thumbnail (Frame 32917)
Video in TIB AV-Portal: Gone in 60 Minutes: Stealing Sensitive Data From Thousands of Systems Simultaneously with Open DLP

Formal Metadata

Gone in 60 Minutes: Stealing Sensitive Data From Thousands of Systems Simultaneously with Open DLP
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Andrew Gavin - Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP https://www.defcon.org/images/defcon-19/dc-19-presentations/Gavin/DEFCON-19-Gavin-OpenDLP.pdf Got domain admin to a couple of thousand Windows systems? Got an hour to spare? Steal sensitive data from all of these systems simultaneously in under an hour with OpenDLP. OpenDLP is an open source, agent-based, massively distributable, centrally managed data discovery program that runs as a service on Windows systems and is controlled from a centralized web application. The agent is written in C, has no .NET requirements, uses PCREs for pattern matching, reads inside ZIPs like Office 2007 and OpenOffice files, runs as a low priority service so users do not see or feel it, and securely transmits results to the centralized web application on a regular basis. The web application distributes, installs, and uninstalls agents over SMB; allows you to create reusable profiles, view results in realtime, and mark false positives; and exports results as XML. OpenDLP also supports scanning databases for sensitive information. It can also perform agentless scans of Windows systems over SMB and UNIX/Linux systems over SSH. Andrew Gavin creator of OpenDLP, is an information security consultant at Verizon Business. He has more than 11 years of experience in security assessments of networks and applications. He has consulted for numerous customers in various industries around the world. Twitter: @andrewgavin

Related Material

Sensitivity analysis Standard deviation Presentation of a group System programming System programming Computer font
Slide rule Building Presentation of a group Game controller Freeware Ripping Open source System administrator Demo (music) Port scanner Process capability index Revision control Component-based software engineering Benchmark Web application Software testing Information Presentation of a group Computer font Demo (music) Information System administrator Open source Electronic mailing list Planning Domain-specific language Benchmark Entire function Component-based software engineering Web application Software Right angle Window
Workstation <Musikinstrument> Web crawler Service (economics) Computer file Authentication System administrator Password Port scanner Directory service Database Directory service Benchmark Writing Read-only memory Computer network Hash function Cuboid Regular expression Information Regular expression Extension (kinesiology)
Service (economics) Computer file Weight Multiplication sign 1 (number) .NET Framework Port scanner Directory service Limit (category theory) Login Total S.A. Computer programming Computer icon Read-only memory Semiconductor memory Befehlsprozessor Web application Cuboid System programming Regular expression Default (computer science) Server (computing) Mikroblog Directory service Connected space Graphical user interface Web application Computer network System programming Window Resultant
Link (knot theory) Computer file View (database) Hyperlink Directory service Client (computing) Complete metric space Entire function Number Web application System programming Web application Information Regular expression Resultant Electric current
Benchmark Read-only memory Computer network System programming Calculation Virtual machine Port scanner Hard disk drive Regular expression Regular expression Extrapolation Benchmark
Computer file Multiplication sign Calculation Port scanner Directory service Core dump Web crawler Entire function Number Befehlsprozessor Benchmark Computer network Befehlsprozessor Quadrilateral System programming File system System programming Cuboid Regular expression Regular expression Extrapolation
Greatest element Graph (mathematics) Information Port scanner Core dump Open set Line (geometry) Entire function Number Benchmark Single-precision floating-point format Core dump System programming System programming Regular expression Pairwise comparison Extrapolation
Laptop Sine Demo (music) Computer file Multiplication sign Interface (computing) Demo (music) Projective plane Port scanner Neuroinformatik Befehlsprozessor Benchmark Computer network System programming Web application System programming Resultant
Sensitivity analysis System administrator Open source Maxima and minima Lattice (order) Profil (magazine) Auditory masking Password Compact Cassette File system Information security Window Local ring
Complex (psychology) Computer file Patch (Unix) Multiplication sign Maxima and minima Directory service Modulare Programmierung Number Semiconductor memory Computer configuration Office suite Extension (kinesiology) Position operator Information Sampling (statistics) Content (media) Plastikkarte Directory service Limit (category theory) Uniform resource locator Film editing Hash function Password Computer network Normal (geometry) Table (information) Regular expression Window
Authentication Addition Read-only memory Cellular automaton Multiplication sign Computer program Domain name Game theory
Web page Touchscreen Profil (magazine) Demo (music) System programming System programming Installable File System
Number View (database) View (database) Personal digital assistant System programming Port scanner System programming Port scanner Game theory Resultant Number
Number Greatest element Computer file System on a chip 1 (number) Game theory Position operator Number
Slide rule Number Computer file Perturbation theory Hill differential equation Latent class model Position operator
Scripting language Injektivität Server (computing) Table (information) Sequel Computer file Demo (music) Authentication Port scanner Database Database Directory service Traverse (surveying) Number Structured programming Different (Kate Ryan album) System programming Gastropod shell System programming Table (information) Data structure Window
Execution unit Expression Table (information) View (database) Database Database Dynamic random-access memory Plastikkarte Differenz <Mathematik> Profil (magazine) Software testing Table (information) Game theory Row (database)
Table (information) View (database) Profil (magazine) Mountain pass System programming File format Database Selectivity (electronic) Port scanner Dynamic random-access memory Total S.A.
View (database) Computer configuration Database Table (information)
Scripting language Demo (music) Computer file System administrator Shared memory Electronic mailing list Port scanner Directory service Online help Entire function Read-only memory Semiconductor memory System programming File system Gastropod shell Cuboid Window Installable File System Extension (kinesiology)
Frame problem Profil (magazine) Real number Password Software testing Directory service Flynn's taxonomy
Computer file Password Plastikkarte Directory service Hidden Markov model Port scanner Read-only memory Computer configuration System programming System programming Extension (kinesiology) Regular expression Vacuum
Execution unit View (database) Profil (magazine) Multiplication sign Lemma (mathematics) Shared memory Maxima and minima Dynamic random-access memory Total S.A. Summierbarkeit Window Sanitary sewer
Information management Computer file Mountain pass Computer file Shared memory Maxima and minima Port scanner Bit Directory service Different (Kate Ryan album) Convex hull Extension (kinesiology) Window Vulnerability (computing) Window
Computer file System programming Shared memory Electronic mailing list Plastikkarte Directory service IP address Resultant Extension (kinesiology)
Demo (music) Computer file View (database) Multiplication sign Summierbarkeit Sanitary sewer Address space
Ripping Open source System administrator Plastikkarte Database Open set Domain-specific language Entire function Number Computer network System programming System programming Software testing Software testing Information security Freeware Proof theory
Web page Filter <Stochastik> Group action Computer file System administrator Database Revision control Virtual reality Hacker (term) File system System programming Information Multiplication Source code Default (computer science) Information Projective plane System administrator Database Bit Machine code Binary file Twitter Data mining Type theory Googol Computing platform Quicksort Information security Regular expression Window
Computer file Demo (music) Open source Blog Interface (computing) Sheaf (mathematics) Pattern language Regular expression Login Maß <Mathematik>
Laptop Computer virus Trail Scheduling (computing) Server (computing) Computer file Multiplication sign 1 (number) Client (computing) Total S.A. Information technology consulting Computer programming Web 2.0 Revision control Goodness of fit Blog Profil (magazine) Average Computer configuration String (computer science) System programming Plug-in (computing) View (database) Structural load Computer file Electronic mailing list Database Volume (thermodynamics) Line (geometry) Web application Antivirus software Process (computing) Auditory masking Telecommunication Quicksort Table (information) Window
good afternoon my name is andrew gavin and i'm here to talk to you about a tool i wrote about a year ago and I've been updating ever since it's called open dlp and how you can use that to steal sensitive data from thousands of systems in less than an hour so just a standard
disclaimer I'm here just representing myself even though I work for the rising business they have nothing to do with the tool nothing to do with the presentation and also if you use my tool and you get in trouble not my fault so my outline here I'm going to talk about
what open dlp is for those of you who aren't familiar this is by the way building on a presentation i gave its MOOC on earlier this year my reasons for writing it how the agent portion works i'll show benchmarks between the agent and the agent list scanner and you can see the drastic speed improvements that an agent offers i'll give a live demo the agent and also live demo of some new features i've got for demos lined up i plan on flying through these slides because I've got a lot I don't know much time but I do have quite a few slides and I hate slides I like demos so and then at the end we'll do a condom I'll show my contact info and we can have a few minutes for Q&A so what is open dlp
for those of you don't know it is a data discovery tool and there are two components to it there's a web app that kind of controls everything and that's on the lamp stack so apache mysql and pearl and there's a windows agent that runs on obviously microsoft windows and it's open source released under the GPL version 3 and it is useful for compliance people so if you're like a PCI guy you want to find out where your PCI data is you'd want to use this it's also good for proactive network and system administrators because we all know they are proactive right and then finally the coolest thing what I do I'm a pen tester so I really wrote this for myself and I write this I use this after i get domain admin and then I just let this thing rip on the entire network and it's pretty cool so what was my reason
for writing it well there really was no free agent based solution last year when I started this and the only solutions were really gooeys that you could run on your desktop like Cornell spider and you could hack those to be an agentless scanner where you would do a net use to the remote hard drive and mount it locally but as you'll see with the benchmarks it's not really ideal for a very very large deployment it's going to be very very slow so how does it work for the agent based scans
how do you how do you get it going well the first thing we want to do is going to create a policy and this policy is going to be reusable you're going to have your administrative credentials because the agent runs as a service and you need to be admin on the box to install a service and then you can do other things like whitelist and blacklist files and directories and then you want to configure your regular expressions that you're going to use it uses pc aires i assume we're all familiar with that here and then a few other things that i'll show then you're
going to start a scan and you're going to it's going to be deployed over SMB and it's going to get kicked off by the win exe program which is like the Linux PS exec and it can concurrently deploy the scanners up to as many as you want in parallel so instead of just sending out one of the time you can send out maybe 30 or 50 at a time just to get it going faster now when the agent is
running on the windows box is going to run as a as a service as i said but it'll run at low priority so no one's really going to see or feel it there's not going to be a little pop-up GUI box or nothing in the system icon tray or anything like that it's also going to limit itself to a percent of memory so if you want to scan some huge 10 gig file and the windows box only has a gig and try to load that tanking file the 1 gig of memory bad idea so what it'll do is it'll chat large file into smaller chunks that's defined as a percent of system memory so like ten percent of system memory or twenty percent or whatever you decide to use finally when it's done what's going to scan it's going to go through the whitelist and blacklist and then scan the resulting files and then every so often it's going to ping back with to your web app with results and it'll give a little status updates and stuff and this is done securely it's over to a trusted ssl connection so if someone tries to man-in-the-middle it it's not going to do anything it's written in pure see it's there's no dotnet requirements so if you want to run this on an old windows 2000 or XP box that doesn't come by default with net it's still going to work and finally when it's all done it's going to uninstall itself automatically as a service it's going to delete its directory completely really the only way that you it was theirs by looking at the logs and certainly 99% of the windows users won't even notice it was there in the first
place in the web app you can monitor the agents and as I said before it's going to ping with results every so often and you can see how many files and bites if it's been priced processed you can control the agents pause stop uninstall resume the agents and you can also view
the results live as they're coming in you can if you see if you see a finding you can download that file just to verify if it's actually there there's they'll be a little hyper link there and i'll tell you the byte offset inside the file where it thinks it found whatever regular expression like I found a social number at offset 500 in this file so i
know what you're thinking yeah i invented multiplayer grep but someone I guess had to do it and just to go
through some benchmarks these are the specs it's a couple years old machine but just for the sake of this benchmark I ran it on two gigs with 13 reg X's
that took it just over an hour an hour seven minutes and I can go through the rest of this but I'm on the flip side an agentless scanner the same exact thing
took an hour and 20 minutes for 13 reg X's and for the agentless scanner of
that time about twenty percent of the time was spent downloading the files because with an agentless scanner you basically have to download the entire file system to your own box you can process those files so twenty percent of the time was spent on that and nearly eighty percent of it was spent on crunching the numbers now if you're going to do this for more than one box more than one target you're going to run into some bottlenecks and probably the biggest bottleneck is going to be your own systems CPU and that's what's really going to slow things down so just for
one system it's only really nineteen percent slower but if we extrapolate this to more systems we see here the blue line is the open dlp agent remains flat just about one hour and the
agentless scanner with one core for 25 systems will take over a day just just 25 systems takes over a day oh sorry so on the bottom it's there's really not much information it just says for the for this graph it shows from going from 100 to 2000 sorry about that so for 2,000 systems which is way on the right it'll take almost three months to scan 2,000 systems with a single core system that i use my benchmark on but with the open dlp agent it just takes one hour and you can't see that but trust me it's earth it just remains flat
the the upsides to an agent based solution are that although all the computations are done on those victims systems it's basically a distributed project it's like CD but instead of searching for aliens you're owning data and it also doesn't have much network traffic it's only sending out about one Meg initially with the agent and then every so often it pings back with that those those results and the log files so it's really not a whole lot of traffic at the downsides to the agentless scanner are of course everything has to be processed by you by your own laptop or your home system so you're going to do this two thousand times sin in parallel it's really going to crush your CPU and of course you have to download everything to your system as well submission show a live demo of the agent
and this is the interface make it a
little bit bigger and what you first
want to do is you want to go to the profiles and you want to create a new profile so for this wheel is call it agent and we'll select the windows file system for the agent and you can mask your unmasked sensitive data I don't like to mask sensitive data cassettes lame so we want to do the local administrator account with the secure password of blah one two three you can see you have to specify the domain or
the workgroup if you don't have the password though someone sent a patch to you can put in the SMB hash so even if they've got like a 64 character long ntlm password that's super complex that rainbow tables won't even touch no problem just put in the SMB hash and you're good to go the install path this
is kind of important because when the agent is uninstalled it will recursively and forcefully delete this directory so please do not do not do not install it to the windows directory or anything like that you've been warned this is the memory limit that you can set where it'll chop up the files here's where you can whitelist and blacklist directories so I've got some sample data in this directory and likewise here's where you can whitelist and blacklist file extensions so pictures movies exe things you really probably don't care about that would contain sensitive info here are the reg X's so we'll check some of these you can add your own reg ex is as I said they're based on PC Ares these options here tell the agent what to what reg ex is to treat as credit card so if it thinks it ran across a 16-digit number you might think it's a visa or mastercard but it's going to run that through the mod 10 check yep yeah exactly that's what this is exactly so it'll cut down on false positives and these options here it'll read inside zip files so office 2007 open office just normal zip files it'll pass them over once as a normal file then it will try to unzip them and go through its contents a second time this is the upload URL and the takes basic
authentication credentials in addition
to the certs so I don't want a fat
finger in cell copy paste this is the time between uploads so how often Oh pingback and we just fill out this stuff and submit the new policy now we want to
go to start the actual scan so we'll
just name this agent we select the profile that we just created and we enter our guinea pig here and it's going to start so if you were to scan maybe a thousand two thousand systems on this screen you would see a live scroll of this here saying zero systems remain or five hundred systems raining to you 400 300 once you get down to zero then you know it's safe to leave this page because if you don't leave this if you leave this page before then it might interrupt the deployments so if we go back now to
our guinea pig system we can see that
open dlp is running below normal it's going to run as a service and let me try to bring that up hope it's just done we
see here it's running as a service and
eventually it's now it's gone so when
it's done or even while it's running you can view the results live so you just go to the View scans and results and this is it's going to give you a summary of the scans here and you select one and here it's going to give you all the
systems in that one scan that I just launched so there's only one system and we can view the results here so we found
possibly a social number it let's say in
this file here so we can click it and we can download it and open it and we see
yeah there's probably a social the number ones number twos and then down here number three's so we can verify that if you think you found some false positives you can check these guys and
scroll to the bottom and just mark them
as false positive go back they're gone if you think you accidentally marked
something as a false positive you can manage your false positives here and
just drill down to the system and uncheck a couple now they're not a false
positive we can go back to the results and refresh and they're back now so
that's pretty much it for the agents scanner go back to my slides now
recently I added some new features though I gave a talk in Amsterdam in may and i added database agentless scan so I've got support for Microsoft sequel server and mysql and then most recently
right before this conference I added agentless support for windows and unix so for the database scans it's very very similar to creating a policy for an agent's can the only difference though is that instead of white listening and blacklisting files and directories you can whitelist and blacklist tables databases and columns that's pretty much the only difference it's going to run as a shell script of Perl script on your own system in the back background and it's going to walk the database structure just like you would walk at walketh walk through a SQL injection so it's going to numerate the databases in the tables and look in the columns and it's going to go after the data and then you can control the scans too so people quick demo with that so
we're going to start a new crea new profile again call this mysql and test
and test and here's where you can
whitelist and blacklist your databases your tables your columns you can limit how many call out how many rows you can grab so if you want to grab all rows just enter a zero but if you're going to be just be aware that you know some tables are quite large diff if there's a million rows it would take a while so we'll submit that and we will launch our
scan just like we did last time select
the profile that we just created I'm going to cheat and just do lupex I didn't bother to set up mysql listening on 3306 so this is going to go pretty fast in fact it should be done because there's not a lot of stuff here is the
scan that we just ran and we see that
it's done and we see you guys really
can't see that there's there's five findings to trust me and they're also numbers and it'll give the the database the table in the column name so if we want to verify that there's there's no option for me to verify that right now
but what we can do is just go into the database itself and we see that here's what it found all that good stuff so
that's it for the mysql demo now we're
going to do is demo the agent list OS scan it's only talk about it first the policy is again very similar you don't need admin credentials for this scan it's helpful but it's obviously if you don't give it an admin account it's not gonna be able to read all the files most likely so it's it's also honors the white listening blacklisting the memory ceiling it's going to be the memory ceiling on your own box not on the on the guinea pigs but in and then it's going to run in the background as a as the shell script as a perl script and i currently have support for windows the entire file system over SMB windows shares you guys can't see that and then also on unix / ssh using the sshfs method there so i'm going to
do a demo of unix real quick so create a new profile follow unix and i've got
some test data in a directory somewhere
so i only got about five minutes left
and I want to scan my entire system
and again the same file extensions options the regex is here credit cards zips and we're good to go we'll start
the scan
and it's now started so we can view it as it's going and well it's okay it's
already done and it's just like the last time you can see the results and do all
that good stuff so then finally what I'm going to do is I'm going to demo a
windows share because that's just slightly different so we'll create a new
profile this one this particular share is completely wide-open you don't need a
credentials at all so I'm not going to fill in anything so when you run your
vulnerability scanners you'll probably see that quite often the directory here that was a little bit different it's relative to the path of the share that you you're going to give it when you start the scan is if you try to put in you know C colon backslash windows it's not going to know where that is because it's got to be relative to the to the actual share so we'll just leave that blank for now and the file extensions
and reg exes again and the same thing credit cards and zip files so we'll submit that and we'll start a new scan
again and there's a slightly different thing here where instead of giving it a list of IP addresses you have to give it the actual full path to the share so it knows where to go and if you were to whitelist or black list file or directories it would just depend them here like that but you don't have to do that just give it to the base path of the share so we click start and it's going to go in the background is going to download all those files over the the share and we can view the results as they're coming in and how's bastard
usually if you catch it in time you're going to see that it'll give you like I'm twenty percent done i'm estimating just maybe a half an hour left in my scan but just for the purpose of this
demo I don't have that much time but here again you can see same exact stuff
you can download the files check them out and good to go so conclusion for pen
testers open dlp it's free it's open
source after you get domain admin or after you find some database credentials or UNIX credentials let it rip because you can show the c-level executives show your customers that there's very much risk to getting domain and a lot of those people don't really realize that oh you got domain MN okay whatever but if you show them that oh ok well here's all your customers so numbers or here's all your customers credit card numbers that were on Peggy an HR system or Bob and in finances system that it's it's pretty pretty damning and then finally for everybody
else if you're if you're some sort of admin this is free and really you should be using this to find your own sensitive data on those weird systems that you don't know about before people like anonymous or lil sick or our favorite you know nationally sanctioned hacking groups use or find and just to reiterate its multi-platform it does file systems and databases so really there's no excuse why you shouldn't be using this
but this is the project page it's on google code and the current version is zero dot 4 and it's kind of a bit of a pain in the ass to install so i made a vm but a year ago the vm is a little outdated i'm going to update it in the next few weeks but it's based on 0 to 2 it's easy to upgrade and then my contact info is there and i believe we have time yeah we've maybe five minutes for questions if anybody wants to go ahead sorry the question is if I looked into using I filters on windows to look into different binary types I do want to get into that especially outlook PST files because those are just going to be a frickin gold mine yeah yeah Alamy in fact you can make your own reg exes so just by default it comes with 13 but
here's an interface here where you can create your own reg exes so just give it
a name and you know some kind of pattern here or whatever and then just you're good to go yeah awesome i'm saying tiger ok so the question was how do i know that this tool won't modify data or harm data in any way because people are leery about open source tools I open the files of read-only so if they are modified after I open them I am not sure what happens but it will not be able not purposely modify the files at all it's just read only strictly read-only yes it would be listed in the logs here there's a section here for the logs and any file that I cannot open it's going to be mentioned here in the logs so there's not much here that I can open all the files that I could that I tested on my demo but it will mention it there yeah
have I thought about enumerated cackles oh the ACLS okay not so much right now but perhaps down the line yeah yeah great question so as a consultant I don't like to leave my systems on the job and his question was how do agents deal with a lack of communication with the web app or your own server and there's that that phone home option every five minutes or whatever you set it's going to keep trying every five minutes if it cannot contact your web app it's going to keep running and it's going to keep keep doing it to grep and then every five minutes it's going to try to phone home at the end if it's completely done searching all the files it'll tried every five minutes just to phone home still so let's say you you launched at the scan on Tuesday you come back in Wednesday morning and plug in you're just going to get a crap load of data like in the first five minutes it's kind of cool to watch but yeah it'll it'll handle miss communicating with the web server just fine yeah it depends on how many systems you're running and also how many findings there are and certainly the you can set the log verbosity in the in the profile too I haven't really investigated it too much except that I know it can handle several thousand just fine on just a decently recently made laptop no there are no agents on a database server the database scan is agent list so it's going to remotely connect and download all those all the tables and stuff yeah Oh Oh negligible it's just downloading the the tables and stuff just like every normal client would it downs it downloads it locally and does the processing locally it doesn't do anything on the database except it download the data yeah so yeah the question was a self-destruct like if it can't contact the server after a few days it'll just uninstall itself the problem that I ran to with that I haven't thought of that but I'm thinking of how Windows works and you can't as far as I'm as from what I understand the running process can't uninstall itself because it's running I might be wrong but that's why when it when these uninstall them when opened dlp uninstalls itself it's the web app sending another one of those win exe commands to the system but that is a really good idea just to cover your tracks more yeah another great question what happens when the victim systems that you're scanning with the agent die or they get rebooted or something since it runs as a service and it'll it'll automatically restart when the system restarts and open dlp knows it keeps track the last file it scanned so it'll just go back and resume where it was before I mean if the system is completely dead obviously nothing's going to run on us so I can't help that but if it gets rebooted or if no one's logged in it'll run and it'll resume just fine antivirus good question right now open dlp is not labeled a virus by anybody and I think if it ever does it be quite interesting because a lot of those AV companies also have dlp programs so little conflict of interest there but right now it's not identified as a virus if it tries to open a file that's identified as a virus then something will pop up and the user will see that because I've run into that with avg on occasion yep like a schedule his question was have I set up us any sort of scheduling or do these systems at a particular time not yet but that is on my to-do list absolutely anybody else otherwise I'm going to wrap up yet one more question I'm sorry it's really hard to hear you oh my what oh how am I storing the data on it's stored locally in a mysql database and you can select whether to mask or unmask that data so if you select a masket and you're worried about you becoming another risk it'll mask the first 75 percent of whatever string it finds a nun Matt it'll leave the last twenty-five percent unmasked but it is stored in plain text if you are really worried about it you can set up a TrueCrypt volume for your MySQL stuff but that's kind of outside the scope of my tool right now but that's all the time I have thank you