Application Control Regular Expression syntax in Symantec Endpoint Protection

book

Article ID: 178636

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

The Application and Device Control (ADC) feature in Symantec Endpoint Protection (SEP) 11.0 and 12.1 can use Regular Expression (or "regex") syntax in rules to match file names and registry keys.

The regex syntax used in ADC differs in a number of ways from common regex, some features use a different syntax or are not supported, and certain ADC-specific special features such as importing registry and environment strings into the pattern are added. This article lists key differences versus the common regex syntax, and provides working examples.
 

Capturing groups / backreferences

In ADC the syntax for a capturing group is \(pattern\) instead of the common (pattern).

  • Working example: c:\\test\([XYZ]+\)test\1.exe (matches c:\testXYZtestXYZ.exe but not c:\testXYZtestZYX.exe)
  • Not working: c:\\test([XYZ]+)test\1.exe

Un-escaped parenthesis brackets are treated as literals in ADC.

  • Working example: C:\\Program Files (x86)\\test\\test\.exe
  • Not working: C:\\Program Files \(x86\)\\test\\test\.exe


Beginning and end anchors

The ^ and $ beginning and end anchors are added automatically at the start and end of the pattern in ADC. When entered manually in the policy editor, they are treated as literal characters.

  • Working example: c:\\file\.txt (matches c:\file.txt - does not match c:\file.txtxt etc.)
  • Not working: c:\\file\.txt$ (matches c:\file.txt$ (with the $ in the filename) - does not match c:\file.txt)

Since the beginning/end anchors are automatically added, the entered pattern must always match the entire path string.

  • Working example: .*\\notepad\.exe (matches the file notepad.exe in any folder)
  • Not working: notepad\.exe (becomes ^notepad\.exe$ internally and does not match the full path of the file)


Case sensitivity

The regex patterns are always case-insensitive in ADC.


Unsupported features

  • \d, \w and \s character classes (and the \D, \W, \S reverse versions)
    • Instead of \d for digits use [0-9]
    • Instead of \w for word characters use [a-z0-9_]
    • Working example: c:\\[a-z0-9_]+-[0-9][0-9][0-9]\.exe (matches c:\test-123.exe)
    • Not working: c:\\\w+-\d\d\d\.exe (matches the file c:\www-ddd.exe and not c:\test-123.exe)
  • {NN.EN_US} and {nn,nn} curly bracket quantifiers
    • As an alternative to {NN.EN_US}, the pattern can be repeated:
    • Working example: c:\\test[XYZ][XYZ][XYZ]\.exe (matches c:\testYYY.exe but not c:\testYYYY.exe)
    • Not working: c:\\test[XYZ]{3.EN_US}\.exe
  • ? to indicate optional (quantifier for "zero or one")
    • In some cases it may be possible to use the * quantifier for "zero or more" instead of ?
    • Partially working: c:\\colou*r\.exe (matches c:\color.exe and c:\colour.exe, but also c:\colouur.exe)
    • Not working: c:\\colou?r\.exe
  • a|b (pipe character) to indicate a logical OR
    • A possible workaround is to use two separate ADC rules instead.
    • Not working: c:\\\(red|green\)\.exe


Unique Application Control features

Importing registry value strings with #

  • Example: #HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir#\\Messenger\\msmsgs\.exe
    • Matches C:\Program Files\Messenger\msmsgs.exe also on localized OS where "Program Files" is named differently.
  • Example: #HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData#\\test\.exe
    • Matches the test.exe file in the user "Application Data" folder.
  • Not working: #HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir#\\Messenger\\msmsgs\.exe
    • Shorthand registry names like HKLM, HKCU do not work.

Importing environment variable strings with %

  • Example: %windir%\\winhlp32\.exe
    • Matches the winhlp32.exe executable in the Windows folder, even if named differently or located on a different drive than C:
  • Example: %APPDATA%\\test\.exe
    • Matches the test.exe file in the user "Application Data" folder.
  • Example: %TEMP%\\test\.exe
    • Matches the test.exe file in the user TEMP folder, but not in the system TEMP (c:\windows\temp)

To match a literal % in a filename, use %%

  • Example: .*\\.*%%20.*\.exe (match all executables with %20 in the name)