You can use regular expressions to search for events, patterns and values of event parameters in the Event Processor section. Kaspersky MLAD supports use of the following special characters in regular expressions:
^ – Corresponds to the start of the parameter value. For example, ^A means that the event parameter search will look for values beginning with the letter A.$ – Corresponds to the end of the parameter value. For example, A$ means that the event parameter search will look for values ending with the letter A.. – Corresponds to any single character. | – Splits permissible options for characters or a set of characters in a parameter value. For example, c(o|a)t matches both the cot and cat values.\ – Indicates that the next character is an ordinary character (not a special character) in the parameter value. You can use the \ character to search for special characters in a parameter value. For example, \. describes a dot in the parameter value, while \\ describes a backslash.[] – Corresponds to any character from the set of permissible characters. For example, [abc] matches the occurrence of any one of the three specified characters.To search for a range of values, you can use the - character. To find the characters that are not within the specified range, you can use the ^ character in the square brackets. For example, [^0-9] means any character except numerals can be present.
You can use the following special characters to indicate the necessary number of repetitions of an expression in the values of event parameters:
? – Character indicating that the preceding expression may occur zero or one time in a parameter value.* – Character indicating that the preceding expression may occur zero or more times in a parameter value.+ – Character indicating that the preceding expression may occur one or more times in a parameter value.{} – Character class that lets you indicate the necessary number of repetitions of the preceding expression. You can specify the repetition count in one of the following ways:{n} – The expression preceding the curly brackets occurs in the parameter value exactly n times.{m,n} – The expression preceding the curly brackets occurs in the parameter value from m to n times inclusive.{m,} – The expression preceding the curly brackets occurs in the parameter value at least m times.{,n} – The expression preceding the curly brackets occurs in the parameter value no more than n times.You can also use parentheses () to group elements of an expression. For example,(c[oa]t){2} matches cotcot, catcat, cotcat, and catcot.