Investigate a File

Each time a file attempts to run on a Mac or Windows endpoint, Traps logs the event and reports it to Traps management service. The Files page in Traps management service displays all the files that run on your endpoints, the corresponding verdicts, and other details about the files. When a security event occurs or a specific file warrants investigation, you can review the WildFire Analysis Report, view which endpoints have attempted to run the file, and, if necessary, create an exception to override the official verdict.
To investigate a file:
  1. Select Files.
  2. Filter for one or more files.
    • By timeframe—Select the Timeframe period for which you would like to filter the files: Last 24 hours, Last 7 days, Last 30 days, Last 3 Months.
    • By file name or SHA256—Enter a full or partial File Name in the Search field. Or to search for a file by its SHA256 hash value, select SHA256 instead of File Name and enter the full value.
    • By endpoint—Enter a full or partial Endpoint hostname (or alias, if assigned) in the Search field.
    Traps management service filters the results based on your filter or search criteria.
  3. Select the File Name to view additional details about the file.
    Traps management service summarizes details about the file and displays the most recent verdict assigned to the file along with the verdict source.
  4. To view the endpoints on which a file attempted to run during the last month, click the Endpoints tab.
    Traps management service displays details about each Endpoint including the Endpoint name, User that was logged in when the file attempted to run, full File path, local analysis verdict (if issued), Content Version of the local policy, and the date when the file was Last seen.
  5. Select the WildFire tab to Review WildFire Analysis Details
  6. If after analyzing the WildFire Analysis Report and completing any additional research, you believe the verdict for the file is incorrect:

Related Documentation