Regular Expressions Syntax
Use regular expressions to control applications at a granular level. Endpoint Privilege Management uses the CAtlRegExp library, which is part of the Microsoft ATL Server implementation, and makes use of the regex parser and engine.
Examples
The following examples are from Endpoint Privilege Management QuickStart Templates.
| Application Definition | Regular Expression | Application |
|---|---|---|
| File / Folder Name | %ProgramFiles%( \(x86\))*\\webex\\productivity tools\\ptupdate.exe | Cisco WebEx ptUpdate |
| File / Folder Name | vcredist_x[0-9][0-9]\.exe | Microsoft Visual C++ Redistributable Setup |
| File / Folder Name | ((rdbgsetup)|(msvsmon))\.exe | Microsoft Visual Studio Remote Debugger |
| Command line | (powershell_ise.exe)|(powershell.exe)|(cmd.exe)|(wscript.exe)|(cscript)|(mshta.exe) | Any Trusted Executable |
| Command line arguments | -[rfRM].*[rfRM]\s\W* | rm |
Syntax
|
Metacharacter |
Meaning |
Example |
|---|---|---|
|
Any character except [\^$.|?*+() |
All characters except the listed special characters match a single instance of themselves. To match one of these listed characters use a backslash escape character (see below). |
abc matches abc |
|
\ (backslash) |
Escape character: interpret the next character literally. |
a\+b matches a+b |
|
. (dot) |
Matches any single character. |
a.b matches aab, abb or acb, etc. |
|
[ ] |
Indicates a character class. Matches any character inside the brackets (for example, [abc] matches a, b, and c). |
[abc] matches a, b, or c |
|
^ (caret) |
If this metacharacter occurs at the start of a character class, it negates the character class. A negated character class matches any character except those inside the brackets (for example, [^abc] matches all characters except a, b, and c). If ^ is at the beginning of the regular expression, it matches the beginning of the input (for example, ^[abc] will only match input that begins with a, b, or c). |
[^abc] matches all characters except a, b, and c |
|
- (minus character) |
In a character class, indicates a range of characters (for example, [0-9] matches any of the digits 0 through 9). |
[0-9] matches any of the digits 0 through 9 |
|
? |
Indicates that the preceding expression is optional: it matches once or not at all (for example, [0-9][0-9]? matches 2 and 12). |
ab?c matches ac or abc |
|
+ |
Indicates that the preceding expression matches one or more times (for example, [0-9]+ matches 1, 13, 999, and so on). |
ab+c matches abc and abbc, abbbc, etc. |
|
* (asterisk) |
Indicates that the preceding expression matches zero or more times |
ab*c matches ac and abc, abbc, etc. |
|
| (vertical pipe) |
Alternation operator: separates two expressions, exactly one of which matches. |
a|b matches a or b |
|
??, +?, *? |
Non-greedy versions of ?, +, and *. These match as little as possible, unlike the greedy versions which match as much as possible. Example: given the input <abc><def>, <.*?> matches <abc> while <.*> matches <abc><def>. |
Given the input <abc><def>, <.*?> matches <abc> while <.*> matches <abc><def>. |
|
( ) |
Grouping operator. Example: (\d+,)*\d+ matches a list of numbers separated by commas, such as 1 or 1,23,456. |
(One)|(Two) matches One or Two |
|
{ } |
Indicates a match group. The actual text in the input that matches the expression inside the braces can be retrieved through the CAtlREMatchContext object. |
|
|
\ |
Escape character: interpret the next character literally. For example, [0-9]+ matches one or more digits, but [0-9]\+ matches a digit followed by a plus character. Also used for abbreviations, such as \a for any alphanumeric character; see table below. If \ is followed by a number n, it matches the nth match group (starting from 0). Example: <{.*?}>.*?</\0> matches "<head>Contents</head>". Note that in C++ string literals, two backslashes must be used: "\\+", "\\a", "<{.*?}>.*?</\\0>". |
<{.*?}>.*?</\0> matches <head>Contents</head> |
|
$ |
At the end of a regular expression, this character matches the end of the input. Example: [0-9]$ matches a digit at the end of the input. |
[0-9]$ matches a digit at the end of the input |
|
| |
Alternation operator: separates two expressions, exactly one of which matches. For example, T|the matches The or the. |
T|the matches The or the |
|
! |
Negation operator: the expression following ! does not match the input. Example: a!b matches a not followed by b. |
a!b matches a not followed by b |
