I would recommend favoriting the link below and reviewing daily for any changes to signatures. Generally this is on a monthly release cycle but there are instances where new signatures are added or existing ones altered based on the existing threat landscape or reported issues with existing content.
As for signature 1266 being changed on either the 4/10 or 4/16 releases, I verified for you and did not see any listed changes. I also checked through my HIPS threat events over the last month and only had 3 listed but every environment varies. My best guess is you are seeing something that may be a home grown application or admin script causing this activity.
Regarding the triggering of signatures with existing exceptions in place, I have been seeing this myself. I currently have a ticket open and, pending MER data on my end, I should hopefully have an answer forthcoming. Just to be safe though, make sure your syntax is correct by referencing the support guide. I recently fixed a few that I entered in error, so it happens.
For anyone still interested in this, we put in a service request to McAfee Platinum support and it turns out there is a known issue in HIPS 7.0, where the advanced details of one signature merges with another signature, which suddenly makes an exception more restrictive than it used to be.
Usually just re-saving the exception clears up the problem - I guess HIPS sees the act of re-saving the policy as a policy change (even though nothing actually changed) and re-pushes the exception again.
McAfee isn't going to fix this for HIPS 7.0; it'll require an upgrade to HIPS 8.0 to resolve the problem.
That sounds interesting but is a bit vague. When you say merge are you refering to the database tables on the back end? Or does this issue only manifest itself locally on the client?
To further my comment from earlier, investigation in our environment has shown that the issue may lie with how the CMA is applying policies locally on the host but not something that is systemic.
Typical answer though, just upgrade to the latest version and all will be well... I don't recall seeing any specific enhancement or fix detailed in the HIPS 8 RTW or Patch 1 release notes regarding signature rule sets merging.
In the support request we did, it was determined that the advanced details of one exception we had created for sig 3809 had somehow merged with the exception we had made for signature 990, which had no advanced details configured. This made sig 990 much more restrictive than it was supposed to be.
Technically I'm not sure how they "merged"; the exception when viewed in ePO looked the way it was supposed to look; it "merged" somehow in the background and the way it was applied to our systems.