How to Use .NET Regex Within ThreatLocker

ThreatLocker supports the use of regular expressions, Regex, within Application Definitions. Regex must be .NET based or it may not be recognized by ThreatLocker.

The ONLY locations within the ThreatLocker portal that supports the use of Regex is within Application Definitions, and in Storage Control Policies.

Regex must be written using .NET. It is recommended to test all regular expressions using a .NET specific Regex tester such as regexstorm.net before inserting them into ThreatLocker Application Definitions or Storage Policies.

Inserting Regex Rules Into an Application Definition

In the ThreatLocker portal, navigate to Modules > Application Control > Applications.

Find the existing application to edit, or click the 'New Application' button to create a new application definition.

Select the 'Application Files' tab in the Create/Edit Application slideout.

In the 'File Rules' section, select either Full Path, Process Path, or Created By Process from the 'Condition' dropdown.

In the 'Value' dropdown, enter the desired regular expression prefixed with Regex:

For example: Regex:\\appdata\\(local|locallow|roaming)\\temp

Inserting Regex Rules Into a Storage Control Policy

In the ThreatLocker portal, navigate to Modules > Storage Control > Policies.

Find the existing policy that needs a regex rule added or click the 'New Policy' button to create a new policy.

In the Create / Edit Storage Policy slideout, in the Conditions section, select 'Selected File Paths'.

Enter Regex: followed by the file path being added to the policy.

For example: Regex:c:\\users\\bob\\downloads\\[a-z0-9.-_][8]\.exe

Regex Limitations

Although ThreatLocker does support the use of Regex in the locations listed above, it does not provide as much control as specifying an exact path or process, as more than a single path or process can match a specified Regex command. It is recommended to use exact paths and process paths whenever possible.

When a policy is matched using a Regex rule, the file will be logged in the Unified Audit, and will show the policy matches. However, it will not show a matching application if the Unified Audit log is expanded and 'Permit Application' or 'Add to Application' are selected.

Because the path or process does not exactly match the text specified within the application definition due to the text being a regular expression, and application matches are looking for an exact text match, the matching application will not be displayed even though the policy remains in full effect.