Investigate a File

Each time a file attempts to run on a Mac or Windows endpoint, Traps logs the event and reports it to Traps management service. The
page in Traps management service displays all the files that run on your endpoints, the corresponding verdicts, and other details about the files. When a security event occurs or a specific file warrants investigation, you can review the WildFire Analysis Report, view which endpoints have attempted to run the file, and, if necessary, create an exception to override the official verdict.
To investigate a file:
  1. Select
  2. Filter for one or more files.
    • By timeframe
      —Select the
      period for which you would like to filter the files:
      Last 24 hours
      Last 7 days
      Last 30 days
      Last 3 Months
    • By file name or SHA256
      —Enter a full or partial
      File Name
      in the Search field. Or to search for a file by its SHA256 hash value, select
      instead of
      File Name
      and enter the full value.
    • By endpoint
      —Enter a full or partial
      hostname (or alias, if assigned) in the Search field.
    Traps management service filters the results based on your filter or search criteria.
  3. Select the
    File Name
    to view additional details about the file.
    Traps management service summarizes details about the file and displays the most recent verdict assigned to the file along with the verdict source.
  4. To view the endpoints on which a file attempted to run during the last month, click the
    Traps management service displays details about each Endpoint including the
    that was logged in when the file attempted to run, full
    path, local analysis verdict (if issued),
    Content Version
    of the local policy, and the date when the file was
    Last seen
  5. Select the
    tab to Review WildFire Analysis Details
  6. If after analyzing the WildFire Analysis Report and completing any additional research, you believe the verdict for the file is incorrect:

Recommended For You