Home » Miscellaneous » AppSense Regular Expression for Microsoft Office

AppSense Regular Expression for Microsoft Office

Posted on by

I needed to add a new rule to AppSense recently on process start.  I wanted the rule to only run when a Microsoft Office application was run.

Now I usually eat regular expressions for breakfast (with some ketchup on top for good measure).  However I noticed that my regular expression wasn’t working in AppSense and it turned out to be the flavour of Regular Expression that it uses.

You see, I tend to use JavaScript regular expressions or .Net regular expressions.  But AppSense was presumably written in C++ and uses the CAtlRegExp regular expression of the ATL class which is…..lame.  Grouping syntax is different, and so is character matching syntax.

To test my regular expressions, rather than update the AppSense policy and wait for it to deploy to the machine, I just downloaded the regular expression tester from here.

So this was my first attempt – the MfcRegex tool said it was a successful match!  So I plonked it into AppSense:

.*\\Microsoft Office\\Office\d\d?\\((WINWORD)|(EXCEL)|(POWERPNT)|(MSACCESS)|(OUTLOOK)|(VISIO)|(WINPROJ))\.EXE$

But wait!  AppSense tries to be clever and escapes the brackets with preceding backslashes (I noticed this in the client debug logs), so this RegEx was failing because AppSense was evaluating it to this:

.*\\Microsoft Office\\Office\d\d?\\\(\(WINWORD\)|\(EXCEL\)|\(POWERPNT\)|\(MSACCESS\)|\(OUTLOOK\)|\(VISIO\)|\(WINPROJ\)\)\.EXE$

So by this point I was close to throwing my computer out of the window, until finally I used this syntax which works like a charm:

.*\\Microsoft Office\\Office\d\d?\\{WINWORD}|{EXCEL}|{POWERPNT}|{MSACCESS}|{OUTLOOK}|{VISIO}|{WINPROJ}\.EXE$

Notice that I have changed the brackets and slightly altered the syntax.  If you wanted to limit it to a specific version of Office (2010 in my case) you can use a regular expression similar to this:

.*\\Microsoft Office\\Office14\\((WINWORD)|(EXCEL)|(POWERPNT)|(MSACCESS)|(OUTLOOK)|(VISIO)|(WINPROJ))\.EXE$



Comments have now been disabled. If you have a question to ask about this post please ask the community!