DLP EndPoint Regular Expression Parser
I recently encountered an issue with a policy definition that included a Regular Expression for content interrogation on content being “sent” from a PC to a USB attached media device. The RegEx was one that is being used for policies deployed to all of the other available Monitor and Prevent capabilities with no issue. Through the assistance of Symantec Support it was discovered that the EndPoint parser does not support the use of (i) for ignore case but requires “simple match” with all iterations [aA]. The existing documentation addressing DLP and RegEx is fairly light and due to this possible deviation in “parsing” there appears to be a greater need for more “rich” content speaking to the RegEx support and best practices.
- Is there any documentation that outlines differences in RegEx parsers for each of the DLP agents (Network, EndPoint, File Discover, SharePoint Discover, etc.)?
- Is there any documentation that addresses best practices and examples for building proper RegEx’s for each agent?
- Does Symantec recommend any RegEx validation utilities when these types of complex expressions are needed for policy definition?
This information would be very valuable to the community as a whole.