However, there may be something to do with this being a special character class
\\P
is used for catching non-unicode characters
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Unicode_character_class_escape

Mhhh ok but as per documentation everything that is between back quotes should be interpreted literally.. In the link I provided thr documentation says: "Back quotes (`) — Use to interpret all characters literally.


For example: `hello\\tworld` —\\t is not interpreted as a tab"


What if I want to match that path? Already tested that if I add another backslash as escape the regex will search for "C:\\\\Program Files"

I
think
think
it still needs to be raw regex for it to work. Regex requires the backslash to be escaped. So
`C:\\\\Program...`
would be the equivalent to
C:\\\\\\\\Program...
in YARA-L

iirc, you have to escape the backslash. Here is an example.

https://github.com/chronicle/detection-rules/blob/main/suspicious/access_to_windows_setup_files.yaral

think of regex as meaning every time there are quotes regex is on.


Just wait til your string of interest includes quotation mark chracters

Hi, I'm late in the response. Are you guys saying that the example at this link
https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#string_and_regex_literals
is not valid? Because it says literally that backquotes are used to interpret all characters literally, including the backslash.