PolySwarm supports both Hash Searching and Metadata Searching.
Searching by Hash allows you to find Artifacts that match a given hash. We support searching by MD5, SHA1, and SHA256.
Hash search results are listed on the Search page's Hash Searching tab. The first column is the SHA256 hash and the second column is the Detections. The Detections can be one of 4 things:
- M/T (Malicious/Total) where Malicious is the number of microengines that found the artifact to be malicious and Total is the total number of microengines that analyzed the artifact.
- "Scan Now" - This means we have an artifact matching the hash, but it has not been scanned. Click on "Scan Now" to trigger a scan of that artifact.
- "Not Found" - No artifact matching the hash was found.
- "Invalid Hash" - The hash string was not a SHA256, SHA1, or MD5 hash.
For any row having a hash that was found, clicking on the row will take you to the most recent scan results for that artifact.
Clicking the "Search Multiple" toggle above the search box in the Hash Searching tab will allow the user to enter a list of hashes to be searched. When multiple hashes are searched, the hash results will display in the same order as the list of hashes provided.
Searching by Metadata allows you to find Artifacts that have a variety of attributes or content. We support search query strings using the ElasticSearch syntax.
Metadata searches can be entered into the multi-use text box below the “Select file” button on the Scan page. They can also be entered into the text box on the Search page’s Metadata Searching tab. See the Metadata Search API documentation for the full list of query terms.
Once a search is submitted, you are brought to the Search page’s Metadata Searching tab. Below the Search Metadata box will be a list of all search results.
The search results display the SHA-256 hash, the date the artifact was last scanned, the ratio of detections by the microengines, and there are icon buttons to view metadata details for the artifact and to download the artifact. If the detection result says "Scan Now", that means the file has not been scanned, so you can click on "Scan Now" to run the initial scan on that file.
Clicking on the detection ratio will take you to the scan results page. At the far right side of the row is an arrow icon to expand the metadata details for each artifact. These metadata details are the same information that is found on the scan results page’s File Details tab.
Artifact results per page can be changed by the dropdown at the bottom of the page. Default results is set to 25 but can be changed to 50, 100, or 200. Next to that are buttons to go to first, previous, and next page of the results.
Each page of metadata search results that is viewed is counted as one use of the metadata search feature of the account plan. Reloading the page with more results counts as one metadata search.