ThreatLocker supports the use of regular expressions (Regex) within Application Definitions. Regex must be .NET-based, or ThreatLocker may not recognize it.
The ONLY location within the ThreatLocker portal that supports the use of Regex is Application Definitions.
Regex must be written using .NET. It is recommended that all regular expressions be tested using a .NET-specific Regex tester, such as regexstorm.net, before inserting them into ThreatLocker Application Definitions or Storage Policies.
Inserting Regex Rules Into an Application Definition
Within the ThreatLocker Portal, use the 'Modules' dropdown and select 'Application Control'.
In the 'Application Control' page, you can either select an existing application to edit or select the '+ New Application' button at the top left of the page.
Selecting either of these options will open a side panel titled 'Create Application' or 'Edit Application'. Within the 'Create Application' or 'Edit Application' page, navigate to the 'Application Files' tab at the top of the side panel.
Select Full Path, Process Path, or Created By from the 'Condition' dropdown in the 'File Rules' section. Then, enter the desired regular expression prefixed with Regex in the 'Value' field. For example:
Regex:\\appdata\\(local|locallow|roaming)\\temp
Note: When creating a Regex rule, ensure that it is not too broad. One of the limitations of Regex is that different strings can match the same Regex rule. Broad Regex rules may allow unintended strings to match, resulting in an insecure Application definition.
Regex Limitations
Although ThreatLocker does support the use of Regex in the locations listed above, it does not provide as much control as specifying an exact path or process, as more than a single path or process can match a specified Regex command. It is recommended to use exact paths and process paths whenever possible.