View Hash Details About a File Using Cytool

Using Cytool, you can identify hash information about files inside of DLLs, drivers, and other portable executable (PE) files. For each file, Cytool displays the path, file size in bytes, and file hash using SHA256 encoding. If the file is a PE, Cytool also displays information about the target PE inside the file including file size, architecture type (i386 or x64), platform (for example, Win32 GUI, Win32 Console, or NT native), and hash value. After you identify the hash associated with the target file, you can manage Hash Control from the ESM Console or you can add the hash to an SFX whitelist in the database.
Use the cytool image “<filepath>\<filename>” to identify hash information about a file.
  1. Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool).
  2. To view hash details about a file, use the cytool image “<filepath>\<filename>” command. For example, the following output displays information about iexplorer.exe.
    C:\Program Files\Palo Alto Networks\Traps> cytool image “C:\Program Files\Internet Explorer\iexplore.exe”
    Image Information
    Location: C:\Program Files\Internet Explorer\iexplore.exe
    Size: 795.20 KB (814280 bytes)
    File SHA256: 1130c581e0e88111ec02d09ab4fc1f6d532f762c9339c7d54abaf8f43c796fe5
    Architecture: x86-64
    Subsystem: Windows GUI
    PE Size: 780.00 KB (798720 bytes)
    PE SHA256: 79dc738ce785befcc315d004e15f2748ffd967eede830c4f9f0a59a5f6902203

Related Documentation