File Hash Search Conditions
Search fields at the top of the Hash Control page allow you to filter using one or more search conditions. For search queries with multiple conditions, you can query results that match All of the search conditions or results that match Any of the search conditions. You can also choose from predefined search queries for quick access to records that may require additional action. For example, you can use predefined queries to review malware discovered within the last 24 hours, or you can identify malware that was quarantined on the endpoint (restoration candidates). You can also import a previously saved search query or export a query to use it again later.
The ESM Console search engine queries the ESM database for records which match the search conditions and returns up to 1,000 matching results. Searches with a large number of results may take a few seconds to complete.
The following table displays the search conditions that you can use to filter the hash records.
|Endpoint||Name of the endpoint, or list of endpoints separated by new lines|
|File Name||Full or partial filename (Microsoft Office files containing macros, executable files, Mach-object (Mach-o) files, or DLLs), or list of filenames separated by new lines|
|File Size||File size in MB|
|File Type||One of the following files types: |
|First Seen||Date and time at which the file was first seen by Traps|
|Last Seen||Date and time at which the file was last seen by Traps|
|Module||Module which issued the verdict: WildFire,
Hash Control, or Local Analysis|
Use the was/wasn’t operator to identify changes in the source of a verdict. For example, to identify hashes whose verdict was previously issued by Local Analysis but is now issued by WildFire, set the following search conditions: (Module was Local Analysis) and (Module is WildFire).
|Number of Endpoints||Number of endpoints on which the file was seen|
|Quarantine Status||Quarantine status of the file, one of the following: |
|SHA256||Full or partial hash value, or list of hash values separated by new lines|
|Upload Status||Status of the upload to WildFire, one of the
|Verdict||Verdict regardless of source (WildFire, Local Analysis, or Hash Control): Benign, Malware, Grayware, Unknown, or No Connection. Use the was/wasn’t operators to search for previous verdicts (all historically known verdicts).|
|WildFire Verdict||Official WildFire verdict: Benign, Malware, Grayware, Unknown,
or No Connection. |
You can use this search condition to locate hashes that have verdicts that are different from WildFire. For example, to identify files that are blocked by an administrative override (Hash Control), but are considered benign by WildFire, set the following search conditions: (WildFire Verdict is Benign and (Verdict is Malware).
Restore a Quarantined File
Restore a Quarantined File When malware is launched on a Windows endpoint, and Traps is enabled to quarantine files, Traps take immediate action to quarantine ...
Manage Hashes for Files
Manage Hashes for Files View and Search Hashes Export and Import Hashes View a WildFire Report Override a WildFire Verdict Recheck a WildFire Decision Report ...
Filter File Hash Records
Filter Hash Control Records To help you quickly respond to malware-related activity, you can easily filter the number of results on the Hash Control page ...
Restore a Quarantined File Using Cytool
Restore a Quarantined File Using Cytool If a quarantined file turns out not to be malware, you can restore it using the ESM Console or ...
Manage Quarantine Settings
Manage Quarantine Settings To prevent malware from causing harm to data or systems, you can enable Traps to quarantine files. Before Traps can begin quarantining ...
Configure a WildFire Rule
Configure a WildFire Rule WildFire rules determine how Traps detects and responds to malware on your endpoints. You can create or edit WildFire rules on ...
View and Search Hashes
View and Search Hashes The Hash Control page displays a table of all the hashes and their verdicts for files reported by the Traps agents ...
Traps Endpoint Security Manager Known Issues
Known issues with the Traps Endpoint Security Manager and Traps agent 4.1. ...
Issues Addressed in Traps Endpoint Security Manager 4.1.2
Issues Addressed in Traps Endpoint Security Manager 4.1.2 The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.1.2 release. ...