I have faced this issue when using heavy rules that use excessive system resources. Some examples are below:
- IDM/EDM only rules - IDM/EDM are not recommended for endpoints. However, in case you wish to leverage the same, you may consider combining with DCM keywords (two - tier detection). This may reduce the possibility of filereader crashes.
- Regular expressions - Some regular expressions can be quite resource intensive. You may want to check the same
Moreover, you cannot block with IDM/EDM. Hence, an IDM/EDM + DCM based rule may only be used for monitoring.
The best would be to consider a DCM based rule with Data Identifiers/Optimized Regular expressions. Hope this helps?