Sample Artifacts
Table of Contents
Expand all | Collapse all
Sample Artifacts
Sample artifacts are artifacts that WildFire associates
with samples only. You can find the following artifact types when
you view Sample
Details, in the File Analysis details of a sample.
Artifact Type | Search with this
Artifact Type to Find... |
|---|---|
| Compilation Timestamp | The date and time when a Portable Executable
(PE) file was created. |
Digital Signer | The digital signature that identifies the
sender of the sample. |
File Type | The file type of the sample. Examples include
Email Link, Adobe Flash File, and PDF. |
File Size | The size of the sample in bytes. |
Finish Date | The date and time when WildFire analysis
of the sample completed and the sample received a WildFire verdict. |
First Seen | The date and time that the sample was first
forwarded or uploaded to WildFire. You can search for samples based
on relative dates and absolute dates. Using a relative date allows
you to select a date range based on the current time as a reference
point, while the absolute date allows you to specify an exact point
in time. If you use the First Seen artifact with a date
range condition, it must not exceed 365 days. Search queries with
a date range that exceed the maximum values are automatically constrained
to 1 year and a message showing the redefined range is displayed
below the search settings. |
Import Table Hash | An import hash, or imphash, is a hash based
on the order that API functions are listed in the import table of
a Portable Executable (PE). Imphashes can be used to identify similar
samples that might belong to the same malware family. Imphashes
are listed for malware and grayware samples only (not benign samples). |
Last Updated | The date and time when WildFire changed
the verdict for a sample. |
MD5 | The sample’s unique cryptographic hash generated
using the MD5 message-digest algorithm. |
Region | Every WildFire public cloud to
which a sample was submitted for analysis. The sample details list
all of the WildFire clouds to which firewalls submitted the sample
(different firewalls can submit the same sample to different WildFire
clouds). To find samples that have been
submitted to only a single WildFire cloud (and no other WildFire
clouds), set up a search for a WildFire cloud. Then, add search
conditions excluding samples submitted to the other WildFire clouds
from the search results. For example, to search for samples that
users submitted to the WildFire global cloud only, search with the
condition RegionisUS combined with the condition Regionis not for
each of the other WildFire clouds. |
SHA1 | The sample’s unique cryptographic hash generated
using the Secure Hash Algorithm 1.
|
SHA256 | The sample’s unique cryptographic hash generated
using Secure Hash Algorithm 256. |
Ssdeep Fuzzy Hash | The fuzzy hash (generated by the ssdeep
program) associated with the sample. The ssdeep program generates
an ssdeep hash value, or a fuzzy hash, for a sample which can be
used to identify samples that are very similar but not exactly alike.
The ssdeep prfirewogram allows you to compare sample fuzzy hashes
to produce a percentage that indicates how closely the samples match.
In ssdeep, a high percentage indicates a high number of similarities
between the samples. In AutoFocus, fuzzy hashes are listed
for malware and grayware samples only (not benign samples). |
WildFire Verdict | WildFire assigns a verdict of Malware, Grayware,
Benign, or Phishing to the sample based on properties, behaviors,
and activities observed for the file or email link during static
and dynamic analysis. |