The Application and Device Control (ADC) feature in Symantec Endpoint Protection (SEP) 11.0 and 12.1 can use Regular Expression (or "regex") syntax in rules to match file names and registry keys.
The regex syntax used in ADC differs in a number of ways from common regex, some features use a different syntax or are not supported, and certain ADC-specific special features such as importing registry and environment strings into the pattern are added. This article lists key differences versus the common regex syntax, and provides working examples.
Capturing groups / backreferences
In ADC the syntax for a capturing group is \(pattern\) instead of the common (pattern).
- Working example: c:\\test\([XYZ]+\)test\1.exe (matches c:\testXYZtestXYZ.exe but not c:\testXYZtestZYX.exe)
- Not working: c:\\test([XYZ]+)test\1.exe
Un-escaped parenthesis brackets are treated as literals in ADC.
- Working example: C:\\Program Files (x86)\\test\\test\.exe
- Not working: C:\\Program Files \(x86\)\\test\\test\.exe
Beginning and end anchors
The ^ and $ beginning and end anchors are added automatically at the start and end of the pattern in ADC. When entered manually in the policy editor, they are treated as literal characters.
- Working example: c:\\file\.txt (matches c:\file.txt - does not match c:\file.txtxt etc.)
- Not working: c:\\file\.txt$ (matches c:\file.txt$ (with the $ in the filename) - does not match c:\file.txt)
Since the beginning/end anchors are automatically added, the entered pattern must always match the entire path string.
- Working example: .*\\notepad\.exe (matches the file notepad.exe in any folder)
- Not working: notepad\.exe (becomes ^notepad\.exe$ internally and does not match the full path of the file)
Case sensitivity
The regex patterns are always case-insensitive in ADC.
Unsupported features
- \d, \w and \s character classes (and the \D, \W, \S reverse versions)
- Instead of \d for digits use [0-9]
- Instead of \w for word characters use [a-z0-9_]
- Working example: c:\\[a-z0-9_]+-[0-9][0-9][0-9]\.exe (matches c:\test-123.exe)
- Not working: c:\\\w+-\d\d\d\.exe (matches the file c:\www-ddd.exe and not c:\test-123.exe)
- {NN.EN_US} and {nn,nn} curly bracket quantifiers
- As an alternative to {NN.EN_US}, the pattern can be repeated:
- Working example: c:\\test[XYZ][XYZ][XYZ]\.exe (matches c:\testYYY.exe but not c:\testYYYY.exe)
- Not working: c:\\test[XYZ]{3.EN_US}\.exe
- ? to indicate optional (quantifier for "zero or one")
- In some cases it may be possible to use the * quantifier for "zero or more" instead of ?
- Partially working: c:\\colou*r\.exe (matches c:\color.exe and c:\colour.exe, but also c:\colouur.exe)
- Not working: c:\\colou?r\.exe
- a|b (pipe character) to indicate a logical OR
- A possible workaround is to use two separate ADC rules instead.
- Not working: c:\\\(red|green\)\.exe
Unique Application Control features
Importing registry value strings with #
- Example: #HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir#\\Messenger\\msmsgs\.exe
- Matches C:\Program Files\Messenger\msmsgs.exe also on localized OS where "Program Files" is named differently.
- Example: #HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData#\\test\.exe
- Matches the test.exe file in the user "Application Data" folder.
- Not working: #HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir#\\Messenger\\msmsgs\.exe
- Shorthand registry names like HKLM, HKCU do not work.
Importing environment variable strings with %
- Example: %windir%\\winhlp32\.exe
- Matches the winhlp32.exe executable in the Windows folder, even if named differently or located on a different drive than C:
- Example: %APPDATA%\\test\.exe
- Matches the test.exe file in the user "Application Data" folder.
- Example: %TEMP%\\test\.exe
- Matches the test.exe file in the user TEMP folder, but not in the system TEMP (c:\windows\temp)
To match a literal % in a filename, use %%
- Example: .*\\.*%%20.*\.exe (match all executables with %20 in the name)