offbyone 10 Posted July 22, 2020 Posted July 22, 2020 I have one Dynamic Group Template with regex which is not working. Maybe anyone has an idea why. What works (without regex): What doesn't works (with regex): Computers with prefix "kas-" are not part of the group (it's empty). I also tried "^kas-|^kam-" and also "^kas\-|^kam\-" but nothing worked. THX
ESET Staff MartinK 384 Posted July 22, 2020 ESET Staff Posted July 22, 2020 Unfortunately I cannot verify but I would recommend to construct regex without "^" and "$" -> even without those, whole string has to be matching regular expression, so those characters are not required. Maybe regex (kas|kam)-.* will work? Just to be sure, after each modification, it might take some time until new template is re-evaluated by clients.
offbyone 10 Posted July 22, 2020 Author Posted July 22, 2020 Hi Martin, thanks for you answer, however also the variant you suggested did not work. I also tried kas-.*|kam-.* which did not work also. Strange
offbyone 10 Posted July 23, 2020 Author Posted July 23, 2020 I'm running out of ideas. Is it possible that regex is broken? I even tried kas.* which also fails. If I replace "regex" with "has prefix" kas it works. But it is not what I need cause I have to check against two prefixes. Cheers.
Administrators Marcos 5,445 Posted July 23, 2020 Administrators Posted July 23, 2020 Did you wait long enough for changes in DG to replicate to clients and then back to the server?
offbyone 10 Posted July 23, 2020 Author Posted July 23, 2020 (edited) Quote Did you wait long enough for changes in DG to replicate to clients and then back to the server? I think so. To get sure I did the last change yesterday evening and had a look at the results today. Group was still empty. Then I changed from "regex" to "has prefix" and 10 minutes later I saw the first computer appearing in the group. Edited July 23, 2020 by offbyone typos Mirek S. 1
ESET Staff MartinK 384 Posted July 24, 2020 ESET Staff Posted July 24, 2020 19 hours ago, offbyone said: I think so. To get sure I did the last change yesterday evening and had a look at the results today. Group was still empty. Then I changed from "regex" to "has prefix" and 10 minutes later I saw the first computer appearing in the group. Could you please provide version and platform of ERA/ESMC Agent installed on client? Just to be sure there is not an older version which might not have regex support yet. Regardless of that, we will try to reproduce with similar configuration.
offbyone 10 Posted July 24, 2020 Author Posted July 24, 2020 ESET Management Agent 7.2.1266.0 ESET Endpoint Antivirus 7.3.2036.0
Administrators Marcos 5,445 Posted July 30, 2020 Administrators Posted July 30, 2020 Since the issue cannot be easily sorted, I would recommend opening a ticket with your local ESET support so that the issue is properly tracked and looked at by developers, if necessary.
offbyone 10 Posted August 6, 2020 Author Posted August 6, 2020 Just for the records. I changed "Device identifiers.Identifier type" from "Computer name" to "Computer FQDN" and now the regex works.
ESET Staff MartinK 384 Posted August 6, 2020 ESET Staff Posted August 6, 2020 23 minutes ago, offbyone said: Just for the records. I changed "Device identifiers.Identifier type" from "Computer name" to "Computer FQDN" and now the regex works. Thanks for letting us know. Just out of curiosity, could you provide hint what could have been wrong? Both computer name and FQDN are accessible also from console in client details: Maybe there was just wrong case sensitivity? Or completely wrong/unexpected computer name was reported for those devices?
offbyone 10 Posted August 6, 2020 Author Posted August 6, 2020 (edited) That raises an interesting question. Are the RegEx within ESET handled case sensitive? Sensitiveness normally is specified outside of the "expression string" with a modifier. For example in Java script you would write /(kas-|kam-).*/i where "i" the the modifier for case-insensitive. That would explain it as the details for the computer look like follows: Edited August 6, 2020 by offbyone
offbyone 10 Posted August 7, 2020 Author Posted August 7, 2020 Just to mention. The operator "has prefix" is not cases sensitive, so I suspect the same for regex. So far I cannot imagine a use case for dynamic group rules where case sensitiveness makes sense. Does ESET normalize FQDN and computer name to identical cases internally or does it use the values which are returned from OS unaltered?
Recommended Posts