Sample artifacts are artifacts that WildFire associates with samples only. You can find the following artifact types when you view Sample Details, in the File Analysis details of a sample.
Search with this Artifact Type to Find...
The date and time when a Portable Executable (PE) file was created.
The digital signature that identifies the sender of the sample.
The file type of the sample. Examples include Email Link, Adobe Flash File, and PDF.
The size of the sample in bytes.
The date and time when WildFire analysis of the sample completed and the sample received a WildFire verdict.
The date and time that the sample was first forwarded or uploaded to WildFire. You can search for samples based on relative dates and absolute dates. Using a relative date allows you to select a date range based on the current time as a reference point, while the absolute date allows you to specify an exact point in time.
Import Table Hash
An import hash, or imphash, is a hash based on the order that API functions are listed in the import table of a Portable Executable (PE). Imphashes can be used to identify similar samples that might belong to the same malware family.
Imphashes are listed for malware and grayware samples only (not benign samples).
The date and time when WildFire changed the verdict for a sample.
The sample’s unique cryptographic hash generated using the MD5 message-digest algorithm.
Every WildFire cloud (global or regional) to which a sample was submitted for analysis. The sample details list all of the WildFire clouds to which firewalls submitted the sample (different firewalls can submit the same sample to different WildFire clouds).
To find samples that have been submitted to only a single WildFire cloud (and no other WildFire clouds), set up a search for a WildFire cloud. Then, add search conditions excluding samples submitted to the other WildFire clouds from the search results. For example, to search for samples that users submitted to the WildFire global cloud only, search with the condition
combined with the condition
for each of the other WildFire clouds.
The sample’s unique cryptographic hash generated using the Secure Hash Algorithm 1.
The sample’s unique cryptographic hash generated using Secure Hash Algorithm 256.
Ssdeep Fuzzy Hash
The fuzzy hash (generated by the ssdeep program) associated with the sample.
The ssdeep program generates an ssdeep hash value, or a fuzzy hash, for a sample which can be used to identify samples that are very similar but not exactly alike. The ssdeep prfirewogram allows you to compare sample fuzzy hashes to produce a percentage that indicates how closely the samples match. In ssdeep, a high percentage indicates a high number of similarities between the samples.
In AutoFocus, fuzzy hashes are listed for malware and grayware samples only (not benign samples).
WildFire assigns a verdict of Malware, Grayware, Benign, or Phishing to the sample based on properties, behaviors, and activities observed for the file or email link during static and dynamic analysis.