File Hash Search Conditions
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
File Hash Search Conditions
Search fields at the top of the Hash Control page
allow you to filter using one or more search conditions. For search
queries with multiple conditions, you can query results that match All of
the search conditions or results that match Any of
the search conditions. You can also choose from predefined search
queries for quick access to records that may require additional
action. For example, you can use predefined queries to review malware
discovered within the last 24 hours, or you can identify malware that
was quarantined on the endpoint (restoration candidates). You can
also import a previously saved search query or export a query to
use it again later.
The ESM Console search engine queries the ESM database for records
which match the search conditions and returns up to 1,000 matching results.
Searches with a large number of results may take a few seconds to
complete.
The following table displays the search conditions that you can
use to filter the hash records.
Condition | Operators | Description |
|---|---|---|
| Endpoint |
| Name of the endpoint, or list of endpoints separated by new lines |
| File Name |
| Full or partial filename (Microsoft Office files containing macros, executable files, Mach-object (Mach-o) files, or DLLs), or list of filenames separated by new lines |
| File Size |
| File size in MB |
| File Type |
| One of the following files types:
|
| First Seen |
| Date and time at which the file was first seen by Traps |
| Last Seen |
| Date and time at which the file was last seen by Traps |
| Module |
| Module which issued the verdict: WildFire,
Hash Control, or Local Analysis Use the
was/wasn’t operator to identify changes in the source of a verdict.
For example, to identify hashes whose verdict was previously issued
by Local Analysis but is now issued by WildFire, set the following
search conditions: (Module was Local Analysis) and (Module is WildFire). |
| Number of Endpoints |
| Number of endpoints on which the file was seen |
| Quarantine Status |
| Quarantine status of the file, one of the following:
|
| SHA256 |
| Full or partial hash value, or list of hash values separated by new lines |
| Upload Status |
| Status of the upload to WildFire, one of the
following:
|
| Verdict |
| Verdict regardless of source (WildFire, Local Analysis, or Hash Control): Benign, Malware, Grayware, Unknown, or No Connection. Use the was/wasn’t operators to search for previous verdicts (all historically known verdicts). |
| WildFire Verdict |
| Official WildFire verdict: Benign, Malware, Grayware, Unknown,
or No Connection. You
can use this search condition to locate hashes that have verdicts
that are different from WildFire. For example, to identify files
that are blocked by an administrative override (Hash Control), but
are considered benign by WildFire, set the following search conditions:
(WildFire Verdict is Benign and (Verdict
is Malware). |