The DASCLI find command finds a file object by file name or hash identifier and optional qualifiers.
Authentication is required to use this command.
Parameters
dascli find {file_name | hash} [qualifiers]
- file_name
- Path and name of the file. Wildcards can be used. Filenames alone can be used. Partial paths and relative paths will fail.
- hash
- Hash identifier for the file.
- qualifiers
-
To restrict the result set, specify one or more qualifiers:
- BannedGlobally, BannedHash, GloballyBanned, NameReportBanned
- CertMeetsApprovalRequirements, CertDoesNotMeetApprovalRequirements
- Crawlable, NotCrawlable
- DepCompatible, DepIncompatible
- Executed, NotExecuted
- Initialized, NotInitialized
- Local, Remote
- LocalInstaller, ServerInstaller, ServerNotInstaller, Installer, NotInstaller
- LocallyApproved, ApprovedGlobally
- Metered
- Signed, NotSigned
- TrustedPublisher, UntrustedPublisher
- Unapproved, Unapproved (Persisted)
- Uninteresting
For example, the command dascli find *foo.exe Unapproved Installer shows all files ending in foo.exe which are both unapproved and marked as installers.
Output
For each file identified, the following information is shown:
- Hash information, whether SHA-256, MD5, or SHA-1.
- Hash information, which applies to all local instances of the file.
- Certificate details, if signed.
- Name information, which is details on the individual named instance of the file.
- Approval reasons, if any are available.
- Kernel information for the state of the file as determined in the filter driver.
- YARA classifications for the file.
