File Hash Search Conditions
Search fields at the top of the
Hash Controlpage allow you to filter using one or more search conditions. For search queries with multiple conditions, you can query results that match
Allof the search conditions or results that match
Anyof the search conditions. You can also choose from predefined search queries for quick access to records that may require additional action. For example, you can use predefined queries to review malware discovered within the last 24 hours, or you can identify malware that was quarantined on the endpoint (restoration candidates). You can also import a previously saved search query or export a query to use it again later.
The ESM Console search engine queries the ESM database for records which match the search conditions and returns up to 1,000 matching results. Searches with a large number of results may take a few seconds to complete.
The following table displays the search conditions that you can use to filter the hash records.
Name of the endpoint, or list of endpoints separated by new lines
Full or partial filename (Microsoft Office files containing macros, executable files, Mach-object (Mach-o) files, or DLLs), or list of filenames separated by new lines
File size in MB
One of the following files types:
Date and time at which the file was first seen by Traps
Date and time at which the file was last seen by Traps
Module which issued the verdict: WildFire, Hash Control, or Local Analysis
Use the was/wasn’t operator to identify changes in the source of a verdict. For example, to identify hashes whose verdict was previously issued by Local Analysis but is now issued by WildFire, set the following search conditions: (Module was Local Analysis) and (Module is WildFire).
Number of Endpoints
Number of endpoints on which the file was seen
Quarantine status of the file, one of the following:
Full or partial hash value, or list of hash values separated by new lines
Status of the upload to WildFire, one of the following:
Verdict regardless of source (WildFire, Local Analysis, or Hash Control):
No Connection. Use the was/wasn’t operators to search for previous verdicts (all historically known verdicts).
Official WildFire verdict:
You can use this search condition to locate hashes that have verdicts that are different from WildFire. For example, to identify files that are blocked by an administrative override (Hash Control), but are considered benign by WildFire, set the following search conditions: (
WildFire Verdict is Benignand (
Verdict is Malware).
Recommended For You
Recommended videos not found.