This article provides guidance for wildcard usage in Custom Rules and how to verify wildcards in File or Process paths.
App Control recognizes the following wildcard characters:
Example Endpoint Path: C:\ProgramData\AccountingSoftware\version 7.92\fancyMath.dll
Example Rule Path: C:\ProgramData\AccountingSoftware\version??.??\fancyMath.dll
Example Endpoint Path: C:\ProgramData\AccountingSoftware\version 7.92\fancyMath.dll
Example Rule Path: C:\ProgramData\AccountingSoftware\*.dll
Example Endpoint Path: C:\ProgramData\AccountingSoftware\version 7.92\fancyMath.dll
Example Rule Path: C:\ProgramData\AccountingSoftware\%\%.dll
Example One: C:\ProgramData\AccountingSoftware\ Example Two: C:\ProgramData\AccountingSoftware\*
Valid Directory: C:\ProgramData\AccountingSoftware\ Not a Valid Directory: C:\ProgramData\AccountingSoftware
Macro Structure: <OnlyIf:Condition:Value> Examples:
<OnlyIf:Hostname:*FileServer0?>*\temp\*.txt
<OnlyIf:ProductVersion:1.52.33:C:\Program Files\AcmeAccounting\Acme.exe>C:\Program Files\AcmeAccounting\*.exe
Using the testpattern command it is possible to test a path as entered in the Custom Rule against an actual path on the endpoint. This command:
testpattern <Test Path> <Actual Path>
cd "C:\Program Files (x86)\Bit9\Parity Agent" dascli password GlobalCLIPassword dascli testpattern "C:\ProgramData\Acme Accounting\*.dll" "C:\ProgramData\Acme Accounting\math.dll"
cd "/Applications/Bit9/Tools" ./b9cli --password GlobalCLIPassword ./b9cli --testpattern "/Library/Application Support/Acme Accounting/*.sh" "/Library/Application Support/Acme Accounting/math.sh"
cd /opt/bit9/bin ./b9cli --password GlobalPassword ./b9cli --testpattern "/opt/Acme Accounting/*.sh" "/opt/Acme Accounting/math.sh"
Expanded Pattern: /opt/Acme Accounting/*.sh
Normalized Filename: /opt/Acme Accounting/math.sh
Match
<ProgramFiles*>\AcmeAccounting\*.exe
<ProgramFilesx86>\AcmeAccounting\*.exe
<ProgramFiles>\AcmeAccounting\*.exe