I'm wondering if somebody is using the filters to get get rid of the logging for the antivirus updates. Usually the antivirus updates cause the signature 2100 to fire.
IPS configuration guide says:
When filtering sweep signatures we recommend, that you do not use the destination address. If they are several destination addresses, only the last address is used for matching the filter.
I'm kind of learning IPS by trial and error in the test environment. Maybe somebody can share the experience from the real production environment.