Showing results for 
Show  only  | Search instead for 
Did you mean: 

Expert Rule user name match

Dear all,

I want to block an application for all users expect the administrators in our McAfee system. We can decide if a user is administrator by the user name, or AD group membership.

Our admin users are matching for one of the following syntax: "admin-*" or "localadmin-*"

AD side solutions are not useable for other reasons. I have made an expert rule with the following definition:

Rule {
         Process {
                        Include OBJECT_NAME { -v "*" }
                        Exclude USER_NAME { -v "admin-testuser" | -v "localadmin-testuser" }
         Target {
                     Match FILE {
                                         Include OBJECT_NAME { -v "executable.exe" }
                                         Include -access "EXECUTE READ"

It works like a charm. If I change the corresponding line to Exclude USER_NAME { -v "admin-*" | -v "localadmin-*" }

Than it will block for everyone.

By this documentation:

It seems, that I can't use matching at "process" part, but I can use it at Initiators part.

For initiators I can't find any documentation, or example, that may show me, how to solve the issue. Mcafee support can't help in this case. Can anyone please advise?

5 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Expert Rule user name match

Check page number 40 in the above article. See if that can help you. If not then let us know. Can do further testing on this.


Re: Expert Rule user name match



First of all, thank you for the answer.

I have read this whole document, and I did not find any resolution in it to my issue. At the mentioned page, I did not found any related information.

It tell me, that I should use Domain\username, but that one does not work for me. If I just type the username, it works.

It says, that I can use asterisk for all users. This one works as well. But it does not tell anything about user name matching as far as I understand.

What is your suggestion to change?


Thanks in advance.

Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: Expert Rule user name match

I'm really not sure I understand the issue,  but maybe this will help.  You need to escape the \ with \\.  So domain\\username. 



Re: Expert Rule user name match


Sorry, if my goal was not clear. At the moment I have no issue, with the current rule. It works just fine. It blocks executable.exe for every user, except admin-testuser, and localadmin-testuser. So there is nothing to debug in the rule above.

My goal: Let everyone run the executable.exe who's username starts with "admin-" or "localadmin-" and block it for everyone who's username is not start with these. For example if a user with username "Bill","Bob", "Jane", .. wants to run it, the rule should prevent the execution. If "admin-Joe", or "Localadmin-Janet" tries to run it, the rule should allow it.

In powershell:

if (($env:username -like "admin-*") -or ($env:username -like "localadmin-*"))

{allow-execution executable.exe}


{block-execution executaqble.exe}

(sadly allow-execution, and block-execution is not a valid PS function)

I hope, it's more clear now.

Level 7
Report Inappropriate Content
Message 6 of 6

Re: Expert Rule user name match


Could you use the group SID?  For example, with the local administrators group you would just include this in the source process section.

Include GROUP_SID { -v "S-1-5-32-544" }

Kind regards,


You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community