This article provides guidance for wildcard usage in Custom Rules and how to verify wildcards in File or Process paths.

• App Control Console: All Supported Versions
• App Control Agent: All Supported Versions

Wildcards in Custom Rules

App Control recognizes the following wildcard characters:

• Single Character: Use a question mark (?)

  Example Endpoint Path: C:\ProgramData\AccountingSoftware\version 7.92\fancyMath.dll
  Example Rule Path: C:\ProgramData\AccountingSoftware\version??.??\fancyMath.dll
  

• Unlimited Characters
  • Across unlimited subdirectories: Use an asterisk (*)

    Example Endpoint Path: C:\ProgramData\AccountingSoftware\version 7.92\fancyMath.dll
    Example Rule Path: C:\ProgramData\AccountingSoftware\*.dll

  • Windows Agent Only Within current directory only: Use the percent symbol (%)

    Example Endpoint Path: C:\ProgramData\AccountingSoftware\version 7.92\fancyMath.dll
    Example Rule Path: C:\ProgramData\AccountingSoftware\%\%.dll

• Ending a Path: Ending a path with a backslash will be recursive through all files, folders, and subfolders. The two paths in the example below would be identical

  Example One: C:\ProgramData\AccountingSoftware\
  Example Two: C:\ProgramData\AccountingSoftware\*

• Specifying a Directory: App Control will treat any path that does not end with a backslash as a file name.

  Valid Directory: C:\ProgramData\AccountingSoftware\
  Not a Valid Directory: C:\ProgramData\AccountingSoftware

• Using With Macros: Wildcards are not allowed in a Macro Condition, but can be used in a Macro Value.

  Macro Structure: <OnlyIf:Condition:Value>
  Examples: 
  <OnlyIf:Hostname:*FileServer0?>*\temp\*.txt
  <OnlyIf:ProductVersion:1.52.33:C:\Program Files\AcmeAccounting\Acme.exe>C:\Program Files\AcmeAccounting\*.exe

Verifying Wildcards in File or Process paths:

Using the testpattern command it is possible to test a path as entered in the Custom Rule against an actual path on the endpoint. This command:

• requires authentication with the Agent.
• compares against an existing, full path on the machine.
• entered using the following pattern:

  testpattern <Test Path> <Actual Path>

1. Verify the relevant path in the Custom Rule.
2. Log in to the endpoint and in a command prompt issue the following commands:
   • Windows:

     cd "C:\Program Files (x86)\Bit9\Parity Agent"
     dascli password GlobalCLIPassword
     dascli testpattern "C:\ProgramData\Acme Accounting\*.dll" "C:\ProgramData\Acme Accounting\math.dll"
     

   • macOS:

     cd "/Applications/Bit9/Tools"
     ./b9cli --password GlobalCLIPassword
     ./b9cli --testpattern "/Library/Application Support/Acme Accounting/*.sh" "/Library/Application Support/Acme Accounting/math.sh"
     

   • Linux:

     cd /opt/bit9/bin
     ./b9cli --password GlobalPassword
     ./b9cli --testpattern "/opt/Acme Accounting/*.sh" "/opt/Acme Accounting/math.sh"
     

3. The Agent will expand the Test Pattern provided and return results similar to:

   Expanded Pattern: /opt/Acme Accounting/*.sh
   Normalized Filename: /opt/Acme Accounting/math.sh
   Match

Wildcards are not supported in:

• Alert Criteria does not support wildcards. Instead, consider using Criteria such as, "begins with" or "contains".
• The "User or Group" field in Custom Rules do not support wildcards. This field will map to an actual user or group on the computer or network.
• Inside a Path Macro, each Path macro would have to be included. Examples:
  • Not Supported:

    <ProgramFiles*>\AcmeAccounting\*.exe

  • Supported:

    <ProgramFilesx86>\AcmeAccounting\*.exe
    <ProgramFiles>\AcmeAccounting\*.exe

• System Variables (%username%) are not recognized by App Control.
• The asterisk will be recursive through all directories and subdirectories.
• Any path that has no slash or drive letter has "*\" (for Windows) or "*/" (for Mac and Linux) added at the beginning of the path.
• Case Sensitivity of paths is dictated by the Operating System.
• More information can be found in the User Guide chapter, "Custom Software Rules" found on Tech Docs > Server Documentation > User Guide.