Specifications for using Regular Expressions within an Application and Device Control policy.
search cancel

Specifications for using Regular Expressions within an Application and Device Control policy.


Article ID: 152366


Updated On:


Endpoint Protection


What are the Regular Expression syntax options are available in an Application and Device Control policy?



You can use Regular Expressions to match file system and registry locations for use in an Application Device Control policy. You wish to know how Application and Device Control implements regular expressions.


There are a few base behavior differences from standard regular expression usage to match the functionality of the Windows filesystem and Windows registry:

  • All characters are in Unicode
  • A character is considered to be in a set if either its lower case format or its upper case format is in the set, i.e. all character comparison is done case insensitively.
  • ^ is prepended and $ appended to all the regular expressions so they must match the entire string, not a substring.

The syntax supported by Application and Device Control is listed here:

  1. Character : Matches itself, unless it is a special character (metachar): . \ [ ] * + ^ $
  2. . : Matches any character.
  3. \ : Matches the character following it, except when followed by a left or right round bracket, a digit 1 to 9 or a left or right angle bracket. (see [7],[8],[9]). It is used as an escape character for all other meta-characters, and itself. When used in a set ([4]), it is treated as an ordinary character.
  4. [set] : Matches one of the characters in the set. If the first character in the set is "^", it matches a character NOT in the set, i.e. complements the set. A shorthand S-E is used to specify a set of characters S up to E, inclusive. The special characters "]" and "-" have no special meaning if they appear as the first chars in the set.
  5. * : Any regular expression form [1] to [4] followed by closure character (*) matches zero or more matches of that form.
  6. + : Same as [5], except it matches one or more.
  7. A regular expression in the form [1] to [10], enclosed as \(form\) matches what form matches. The enclosure creates a set of tags, used for [8] and for pattern substitution. The tagged forms are numbered starting from 1.
  8. A \ followed by a digit 1 to 9 matches whatever a previously tagged regular expression ([7]) matched.
  9. \< \> : A regular expression starting with a \<construct> construct, restricts the pattern matching to the beginning of a word, and/or the end of a word. A word is defined to be a character string beginning and/or ending with the characters A-Z a-z 0-9 and _. It must also be preceded and/or followed by any character outside those mentioned.
  10. A composite regular expression xy where x and y are in the form [1] to [10] matches the longest match of x followed by a match for y.
  11. ^ $ : A regular expression starting with a ^ character and/or ending with a $ character, restricts the pattern matching to the beginning of the line, or the end of line [anchors]. Elsewhere in the pattern, ^ and $ are treated as ordinary characters.