AppSense Regular Expression for Microsoft Office

I needed to add a new rule to AppSense recently on process start.  I wanted the rule to only run when a Microsoft Office application was run.  We required an AppSense regular expression for Microsoft Office since there are multiple applications within the suite (Word, Excel etc).

Now I usually eat the basic regular expressions for breakfast (with some ketchup on top for good measure).  However I noticed that my regular expression wasn’t working in AppSense and it turned out to be the flavour of Regular Expression that AppSense uses!

You see, I tend to use JavaScript regular expressions or .Net regular expressions in my web development projects.  But AppSense was presumably written in C++ and uses the CAtlRegExp regular expression of the ATL class which is…..lame.  Grouping syntax is different, and so is character matching syntax.

AppSense Regular Expression for Microsoft Office

To test my regular expressions, rather than update the AppSense policy and wait for it to deploy to the machine, I just downloaded the regular expression tester from here.

So this was my first attempt – the MfcRegex tool said it was a successful match!  So I plonked it into AppSense:

.*\\Microsoft Office\\Office\d\d?\\((WINWORD)|(EXCEL)|(POWERPNT)|(MSACCESS)|(OUTLOOK)|(VISIO)|(WINPROJ))\.EXE$

But wait!  AppSense tries to be clever and escapes the brackets with preceding backslashes (I noticed this in the client debug logs), so this RegEx was failing because AppSense was evaluating it to this:

.*\\Microsoft Office\\Office\d\d?\\\(\(WINWORD\)|\(EXCEL\)|\(POWERPNT\)|\(MSACCESS\)|\(OUTLOOK\)|\(VISIO\)|\(WINPROJ\)\)\.EXE$

So by this point I was close to throwing my computer out of the window, until finally I used this syntax which works like a charm:

.*\\Microsoft Office\\Office\d\d?\\{WINWORD}|{EXCEL}|{POWERPNT}|{MSACCESS}|{OUTLOOK}|{VISIO}|{WINPROJ}\.EXE$

Notice that I have changed the brackets and slightly altered the syntax.  If you wanted to limit it to a specific version of Office (2010 in my case) you can use a regular expression similar to this:

.*\\Microsoft Office\\Office14\\((WINWORD)|(EXCEL)|(POWERPNT)|(MSACCESS)|(OUTLOOK)|(VISIO)|(WINPROJ))\.EXE$