Rogue System Detection 2.0 Update
Despite my HIPS exclusion to completely ignore port scans, I still was bombarded with alerts for a TCP port scan.
More interesting still, the System event viewer on many Windows clients was showing the following error once a day:
Event Type: Error
Event Source: TermDD
Event Category: None
Event ID: 50
Description:
The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
So, yesterday I disabled "Device details detection" in the policy for RSD sensors. Today, no more alerts and no more errors. Too bad I have to turn this off, but it seems to be more trouble than it's worth.