File Hash Search Conditions

Search fields at the top of the Hash Control page allow you to filter using one or more search conditions. For search queries with multiple conditions, you can query results that match All of the search conditions or results that match Any of the search conditions. You can also choose from predefined search queries for quick access to records that may require additional action. For example, you can use predefined queries to review malware discovered within the last 24 hours, or you can identify malware that was quarantined on the endpoint (restoration candidates). You can also import a previously saved search query or export a query to use it again later.
The ESM Console search engine queries the ESM database for records which match the search conditions and returns up to 1,000 matching results. Searches with a large number of results may take a few seconds to complete.
The following table displays the search conditions that you can use to filter the hash records.
File Hash Search Conditions
Condition
Operators
Description
Endpoint
  • is
  • is in list
  • is not in list
  • isn’t
Name of the endpoint, or list of endpoints separated by new lines
File Name
  • is
  • is in list
  • is not in list
  • isn’t
  • contains
Full or partial filename (Microsoft Office files containing macros, executable files, Mach-object (Mach-o) files, or DLLs), or list of filenames separated by new lines
File Size
  • greater than
  • less than
File size in MB
File Type
  • is
  • is in list
One of the following files types:
  • PE—Portable executable file
  • Mach-o—Mach object files for macOS
  • Office File—Microsoft Office files containing macros
  • DLL—DLL files
First Seen
  • after
  • before
Date and time at which the file was first seen by Traps
Last Seen
  • after
  • before
Date and time at which the file was last seen by Traps
Module
  • is
  • is in list
  • is not in list
  • isn’t
Module which issued the verdict: WildFire, Hash Control, or Local Analysis
Use the was/wasn’t operator to identify changes in the source of a verdict. For example, to identify hashes whose verdict was previously issued by Local Analysis but is now issued by WildFire, set the following search conditions: (Module was Local Analysis) and (Module is WildFire).
Number of Endpoints
  • is
  • greater than
  • less than
Number of endpoints on which the file was seen
Quarantine Status
  • is
  • isn’t
Quarantine status of the file, one of the following:
  • Yes—Traps successfully quarantined the file
  • No—Traps failed to quarantine the file
  • Pending Restore—Traps is attempting to restore a quarantined file
  • Failed—Traps failed to restore a quarantined file
  • Restore succeeded—Traps successfully restored a quarantined file
  • Quarantine record deleted—The quarantine record was deleted. This can occur when Traps receives an action rule to purge the prevention data, or when the folder storage quota is reached causing Traps to automatically purge the oldest files.
SHA256
  • is
  • is in list
  • is not in list
  • isn’t
  • contains
Full or partial hash value, or list of hash values separated by new lines
Upload Status
  • is
  • isn’t
Status of the upload to WildFire, one of the following:
  • No information supplied—The file upload is not required because WildFire has already analyzed the file.
  • Upload in progress—The file upload has begun.
  • Upload succeeded—The ESM Server received the file from the endpoint.
  • Upload failed—Traps failed to upload the file to the ESM Server.
  • Upload limit exceeded—The file will not be uploaded because the file exceeded the maximum size limit (by default 100MB or as defined in the WildFire settings).
Verdict
  • is
  • isn’t
  • was
  • wasn’t
Verdict regardless of source (WildFire, Local Analysis, or Hash Control): Benign, Malware, Grayware, Unknown, or No Connection. Use the was/wasn’t operators to search for previous verdicts (all historically known verdicts).
WildFire Verdict
  • is
  • isn’t
Official WildFire verdict: Benign, Malware, Grayware, Unknown, or No Connection.
You can use this search condition to locate hashes that have verdicts that are different from WildFire. For example, to identify files that are blocked by an administrative override (Hash Control), but are considered benign by WildFire, set the following search conditions: (WildFire Verdict is Benign and (Verdict is Malware).

Related Documentation