After testing I realised I had to make 10 different rules, each with one file rule looking for a specific dll. One dll per subrule, inside one rule did not work because it still thresholded.
1 of 1 people found this helpful
Is there really no way to turn this off besides on the registry key of each endpoint? Why isn't this a setting on a rule by rule basis?
There is not; the change is global for all signatures. Submit a PER (KB60021) if you'd like to request this functionality per-signature. Lowering this Eventtimeout value can cause a huge increase in logging and events sent to ePO, which would flood the server and affect system performance. The EventTimeout is to add some aggregation filtering on the client and ePO server side. I tested it with HIPS 8, and with a 3sec timeout, 1 signature created 25k+ signature violations and almost 200 ePO events in about 5 minutes (system performance was definitely impacted).
As you found, separating these by Signature numbers will eliminate the threshold you're seeing, but remember there is a limited number of custom signatures that can be created (total 1998).
KB70638 - Cannot create custom signature. Too many custom signatures exist. (issue: reached maximum limit on number of custom signatures)
Thanks Kary. I understand that lowering it could increase in logging. That's something that happens with every single IDS/IPS out there. We have a test environment to prevent such issues.
The problems are that this default threshold isn't obvious to the end user nor is it changeable once found (on a rule by rule basis where it matters). I've been looking through logs and viewing endpoints behaviors under the wrong assumption all along. To add to the confusion, hipshield.log doesn't threshold. This tells me the endpoint's perfomance is not saved by this thresholding, only the ePO server is.
As for a rule firing 25k+, well again, that rule needs to be remade or thresholded. That doesn't mean every rule out there should though.