Sample Artifacts

Sample artifacts are artifacts that WildFire associates with samples only. You can find the following artifact types when you view Sample Details, in the File Analysis details of a sample.
Artifact Type
Search with this Artifact Type to Find...
Compilation Timestamp
The date and time when a Portable Executable (PE) file was created.
Digital Signer
The digital signature that identifies the sender of the sample.
File Type
The file type of the sample. Examples include Email Link, Adobe Flash File, and PDF.
File Size
The size of the sample in bytes.
Finish Date
The date and time when WildFire analysis of the sample completed and the sample received a WildFire verdict.
First Seen
The date and time that the sample was first forwarded or uploaded to WildFire. You can search for samples based on relative dates and absolute dates. Using a relative date allows you to select a date range based on the current time as a reference point, while the absolute date allows you to specify an exact point in time.
If you use the First Seen artifact with a date range condition, it must not exceed 365 days. Search queries with a date range that exceed the maximum values are automatically constrained to 1 year and a message showing the redefined range is displayed below the search settings.
Import Table Hash
An import hash, or imphash, is a hash based on the order that API functions are listed in the import table of a Portable Executable (PE). Imphashes can be used to identify similar samples that might belong to the same malware family.
Imphashes are listed for malware and grayware samples only (not benign samples).
Last Updated
The date and time when WildFire changed the verdict for a sample.
The sample’s unique cryptographic hash generated using the MD5 message-digest algorithm.
Every WildFire public cloud to which a sample was submitted for analysis. The sample details list all of the WildFire clouds to which firewalls submitted the sample (different firewalls can submit the same sample to different WildFire clouds).
To find samples that have been submitted to only a single WildFire cloud (and no other WildFire clouds), set up a search for a WildFire cloud. Then, add search conditions excluding samples submitted to the other WildFire clouds from the search results. For example, to search for samples that users submitted to the WildFire global cloud only, search with the condition
combined with the condition
is not
for each of the other WildFire clouds.
The sample’s unique cryptographic hash generated using the Secure Hash Algorithm 1.
  • SHA1 hashes are only available for samples submitted after 10-17-2014.
  • Macros contained within a sample do not support SHA1 hashing.
The sample’s unique cryptographic hash generated using Secure Hash Algorithm 256.
Ssdeep Fuzzy Hash
The fuzzy hash (generated by the ssdeep program) associated with the sample.
The ssdeep program generates an ssdeep hash value, or a fuzzy hash, for a sample which can be used to identify samples that are very similar but not exactly alike. The ssdeep prfirewogram allows you to compare sample fuzzy hashes to produce a percentage that indicates how closely the samples match. In ssdeep, a high percentage indicates a high number of similarities between the samples.
In AutoFocus, fuzzy hashes are listed for malware and grayware samples only (not benign samples).
WildFire Verdict
WildFire assigns a verdict of Malware, Grayware, Benign, or Phishing to the sample based on properties, behaviors, and activities observed for the file or email link during static and dynamic analysis.

Recommended For You