What is the difference in the regex detection in Data Loss Prevention 14.6?

book

Article ID: 169509

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

The regex engine has been modified in Data Loss Prevention (DLP) 14.6.

What is the difference in the regex detection in Data Loss Prevention (DLP) 14.6 from previous versions?

 

Cause

Prior to DLP 14.6, the endpoint agent and detection servers used different regex engines so some regular expressions were interpreted differently depending upon the channel.  However, both engines supported PCRE compatible syntax. Customers are advised to always implement PCRE compliant regular expressions.  In DLP 14.6 a new, common, high-performance regex engine was introduced across both detection servers and the endpoint agent.
 

 

Resolution

The new, common regex engine in DLP 14.6 supports PCRE compatible regex syntax.

PCRE compatible regex conditions are also evaluated consistently across endpoint and server.

The new regex engine performs single-pass detection in a “no match” scenario instead of having to run detection multiple times (once for each rule) on the same message.  As a result, the new regex engine performs regular expression evaluation at a much faster rate compared to the legacy server-side and agent-side engines.  These performance improvements will be especially noticeable in not just the “no match” scenario, but also when customers have DLP policy sets with lots of regex rules since the new engine incurs very little performance cost as more regex rules are added.