Regex for Dynamic Group not working

[offbyone 10]

I have one Dynamic Group Template with regex which is not working. Maybe anyone has an idea why.

What works (without regex):

What doesn't works (with regex):

Computers with prefix "kas-" are not part of the group (it's empty).

I also tried "^kas-|^kam-"

and also "^kas\-|^kam\-"

but nothing worked.

THX

[MartinK 378]

Unfortunately I cannot verify but I would recommend to construct regex without "^" and "$" -> even without those, whole string has to be matching regular expression, so those characters are not required. Maybe regex (kas|kam)-.* will work? Just to be sure, after each modification, it might take some time until new template is re-evaluated by clients.

[offbyone 10]

Hi Martin,

thanks for you answer, however also the variant you suggested did not work.

I also tried kas-.*|kam-.* which did not work also.

Strange

[offbyone 10]

I'm running out of ideas.

Is it possible that regex is broken?

I even tried kas.* which also fails.

If I replace "regex" with "has prefix" kas it works. But it is not what I need cause I have to check against two prefixes.

Cheers.

[Marcos 5,074]

Did you wait long enough for changes in DG to replicate to clients and then back to the server?

[offbyone 10]

Quote

Did you wait long enough for changes in DG to replicate to clients and then back to the server?

I think so.

To get sure I did the last change yesterday evening and had a look at the results today. Group was still empty. Then I changed from "regex" to "has prefix" and 10 minutes later I saw the first computer appearing in the group.

Edited July 23, 2020 by offbyone
typos

[MartinK 378]

19 hours ago, offbyone said:

I think so.

To get sure I did the last change yesterday evening and had a look at the results today. Group was still empty. Then I changed from "regex" to "has prefix" and 10 minutes later I saw the first computer appearing in the group.

Could you please provide version and platform of ERA/ESMC Agent installed on client? Just to be sure there is not an older version which might not have regex support yet. Regardless of that, we will try to reproduce with similar configuration.

[offbyone 10]

ESET Management Agent    7.2.1266.0
ESET Endpoint Antivirus    7.3.2036.0

[offbyone 10]

Anything new on that one?

THX

[Marcos 5,074]

Since the issue cannot be easily sorted, I would recommend opening a ticket with your local ESET support so that the issue is properly tracked and looked at by developers, if necessary.

[offbyone 10]

OK

[offbyone 10]

Just for the records.

I changed "Device identifiers.Identifier type" from "Computer name" to "Computer FQDN" and now the regex works.

[MartinK 378]

23 minutes ago, offbyone said:

Just for the records.

I changed "Device identifiers.Identifier type" from "Computer name" to "Computer FQDN" and now the regex works.

Thanks for letting us know.

Just out of curiosity, could you provide hint what could have been wrong? Both computer name and FQDN are accessible also from console in client details:

 

Maybe there was just wrong case sensitivity? Or completely wrong/unexpected computer name was reported for those devices?

[offbyone 10]

That raises an interesting question.

Are the RegEx within ESET handled case sensitive? Sensitiveness normally is specified outside of the "expression string" with a modifier. For example in Java script you would write /(kas-|kam-).*/i where "i" the the modifier for case-insensitive.

That would explain it as the details for the computer look like follows:

 

 

 

 

Edited August 6, 2020 by offbyone

[offbyone 10]

Just to mention. The operator "has prefix" is not cases sensitive, so I suspect the same for regex. So far I cannot imagine a use case for dynamic group rules where case sensitiveness makes sense.

Does ESET normalize FQDN and computer name to identical cases internally or does it use the values which are returned from OS unaltered?