EDR Compatibility and Exclusions¶
Section: Reference | Article 54
Audience: IT Administrators, Security Teams
Last Updated: 2026-04-07
Overview¶
RP-PAM is designed to work alongside Endpoint Detection and Response (EDR) solutions. Because RP-PAM is agentless — it does not install any software on managed endpoints — EDR agents on your servers, workstations, and other managed systems are completely unaffected by RP-PAM operations.
However, the RP-PAM server itself may trigger false positives or experience performance degradation if your EDR solution is not configured with appropriate exclusions. This article provides the exclusions needed for all major EDR platforms.
Why Exclusions Are Needed¶
RP-PAM performs several activities that EDR solutions may flag as suspicious:
| RP-PAM Activity | Why EDR May Flag It | Impact If Not Excluded |
|---|---|---|
| Vault encryption/decryption | High-frequency disk writes with encrypted content | Slow credential checkout; vault timeouts |
| Module host processes | rppam-module-host spawns as a child process, communicates via named pipes, then exits |
EDR may kill the process as suspicious parent-child behaviour |
| gRPC inter-node traffic | Encrypted traffic on ports 7001–7012 between cluster nodes | May be flagged as C2 (command-and-control) traffic |
| OS key store access | DPAPI calls (Windows) or kernel keyring operations (Linux) | May be flagged as credential theft technique |
| CLI tool execution | rppam-migrate, rppam-upgrade, rppam-breakglass run as command-line tools |
Script control policies may block execution |
| Session recording writes | Large encrypted files written to disk during active sessions | Real-time scanning slows recording; may corrupt files |
| Log file writes | High-frequency structured JSON log writes | I/O bottleneck from real-time scanning |
Exclusions by Platform¶
File Path Exclusions¶
Add these paths to your EDR's file scanning exclusion list on every RP-PAM server:
Windows Server:
| Path | Purpose |
|---|---|
C:\Program Files\Ravenphyre\RP-PAM\ |
Application binaries and tools |
C:\ProgramData\Ravenphyre\RP-PAM\Logs\ |
Log files |
C:\ProgramData\Ravenphyre\RP-PAM\Backups\ |
Database backups |
C:\ProgramData\Ravenphyre\RP-PAM\Keys\ |
Key files (legacy — OS key store is primary) |
Linux:
| Path | Purpose |
|---|---|
/opt/rppam/ |
Application binaries and tools |
/var/log/rppam/ |
Log files |
/var/lib/rppam/ |
Keys, modules, backups, recordings |
/etc/rppam/ |
Configuration files |
Docker:
| Volume / Path | Purpose |
|---|---|
Docker volumes named rppam-* |
All RP-PAM data volumes |
/var/lib/docker/volumes/ |
Docker volume storage (if scanning at host level) |
Process Exclusions¶
Add these processes to your EDR's process monitoring exclusion list:
Windows:
| Process | Purpose |
|---|---|
Ravenphyre.RpPam.Host.exe |
Main RP-PAM service |
rppam-module-host.exe |
Module child process (spawns per module, communicates via named pipes) |
rppam-migrate.exe |
Database migration tool |
rppam-upgrade.exe |
Upgrade tool |
rppam-setup.exe |
First-run setup wizard |
rppam-breakglass.exe |
Break-glass account tool |
guacd.exe |
Guacamole daemon for browser-based RDP sessions (loopback only, managed by RP-PAM Host) |
Linux:
| Process | Purpose |
|---|---|
Ravenphyre.RpPam.Host |
Main RP-PAM service |
rppam-module-host |
Module child process |
rppam-migrate |
Database migration tool |
rppam-upgrade |
Upgrade tool |
rppam-setup |
First-run setup wizard |
rppam-breakglass |
Break-glass account tool |
guacd |
Guacamole daemon for browser-based RDP sessions (loopback only, managed by RP-PAM Host) |
Network Exclusions¶
Add these network rules to your EDR's network monitoring exceptions:
| Traffic | Ports | Direction | Purpose |
|---|---|---|---|
| gRPC inter-node | TCP 7001–7012 | Between RP-PAM nodes | Internal service communication (mTLS encrypted) |
| REST API / Portal | TCP 7101 | Inbound | Web portal and API |
| Redis | TCP 6379 | Between RP-PAM nodes and Redis | Distributed cache (HA deployments) |
| LVS check-in | TCP 443 outbound | To lvs.ravenphyre.net | License validation |
| LDAPS | TCP 636 outbound | To AD domain controllers | Active Directory operations |
Vendor-Specific Configuration¶
CrowdStrike Falcon¶
Falcon Console → Configuration → Exclusions:
- File Exclusions: Add all paths from the table above as "Sensor Exclusions" (not just ML exclusions)
- Process Exclusions: Add
Ravenphyre.RpPam.Host.exeandrppam-module-host.exeto "Process Exclusions" - Custom IOA Rules: If you have custom IOA rules that flag named pipe communication or child process spawning, add an exception for the RP-PAM install directory
- Network Containment: Ensure ports 7001–7012 between RP-PAM nodes are not flagged by network containment policies
SentinelOne¶
Management Console → Sentinels → Exclusions:
- Path Exclusions: Add all paths above. Use "Suppress Alerts" mode, not just "Performance Focus"
- Hash Exclusions: After installing RP-PAM, add the SHA-256 hashes of
Ravenphyre.RpPam.Host.exeandrppam-module-host.exeto the hash allow list (hashes change with each version — update after upgrades) - Interoperability: If SentinelOne's "Suspicious Process" detection flags
rppam-module-host, set it to "Detect" instead of "Protect" for the RP-PAM directory, then verify and permanently exclude
Carbon Black (VMware)¶
CB Cloud Console → Enforce → Policies:
- Bypass Rules: Add all RP-PAM paths to the "Approved IT Tools" bypass list
- Application Control: If using App Control, add all RP-PAM executables to the approved applications list
- Network Rules: Add a network rule allowing TCP 7001–7012 between RP-PAM node IPs
Tanium¶
Tanium Protect → Policies → Exclusions:
- File Integrity Monitoring: Exclude RP-PAM data directories from FIM (the vault and log files change frequently by design)
- Process Control: Add RP-PAM binaries to the allowed process list
- Network Quarantine: Ensure Tanium Threat Response does not quarantine gRPC traffic between RP-PAM nodes
Microsoft Defender for Endpoint¶
Microsoft 365 Defender → Settings → Endpoints → Advanced Features → Exclusions:
- File/Folder Exclusions:
C:\Program Files\Ravenphyre\RP-PAM\-
C:\ProgramData\Ravenphyre\RP-PAM\ -
Process Exclusions:
Ravenphyre.RpPam.Host.exe-
rppam-module-host.exe -
ASR Rules: If Attack Surface Reduction rules are enabled, add exclusions for:
- "Block process creations originating from PSExec and WMI commands" — RP-PAM CLI tools may trigger this
- "Block credential stealing from the Windows local security authority subsystem" — DPAPI key access may trigger this
Sophos Intercept X¶
Sophos Central → Global Settings → Exclusions:
- Add all paths as "Scanning Exclusions" (both real-time and scheduled)
- Add
Ravenphyre.RpPam.Host.exeto "Exploit Mitigation Exclusions" if Sophos flags DPAPI access
Managed Endpoints (No Action Needed)¶
RP-PAM is agentless — it does not install software on the servers, databases, or workstations it manages. All access provisioning and session recording happens at the proxy and API layer on the RP-PAM server.
This means:
- No EDR exclusions are needed on managed endpoints (your AD domain controllers, database servers, SSH targets, etc.)
- EDR agents on managed endpoints continue to function normally
- If a user's session through RP-PAM triggers an EDR alert on the managed endpoint, that alert is legitimate and should be investigated — RP-PAM's presence does not change the EDR's visibility on target systems
Verifying Exclusions Are Working¶
After configuring exclusions, verify RP-PAM is operating without EDR interference:
Check 1: Service starts without delay
Windows PowerShell:
Linux:
If startup takes more than 30 seconds, EDR may still be scanning RP-PAM files on load.
Check 2: Module host processes are not being killed
Windows PowerShell:
# Should show rppam-module-host processes while modules are active
Get-Process | Where-Object { $_.Name -like "*rppam-module*" }
Linux:
If module host processes are repeatedly restarting (check logs for "module host crashed"), EDR may be terminating them.
Check 3: Vault operations complete in under 100ms
Check the RP-PAM logs for vault operation timing. If credential checkout or rotation operations take more than 1 second, real-time file scanning may be interfering with vault I/O.
Troubleshooting EDR Conflicts¶
| Symptom | Likely Cause | Solution |
|---|---|---|
| RP-PAM service takes >30 seconds to start | EDR scanning binaries on load | Add process exclusions for all RP-PAM executables |
| Module host processes keep crashing | EDR killing child processes | Add rppam-module-host to process allow list |
| Vault checkout is slow (>1 second) | Real-time file scanning on vault data directory | Add data directory to file exclusions |
| Session recordings are corrupted | EDR scanning/locking recording files during write | Exclude recording storage path from real-time scanning |
| "Access denied" on CLI tools | Script control blocking execution | Add RP-PAM tools directory to allowed scripts/executables |
| Cluster nodes can't communicate | EDR flagging gRPC as suspicious traffic | Add inter-node ports (7001–7012) to network exclusions |
| Break-glass login fails | DPAPI/keyring access blocked | Add DPAPI exclusion or credential access exception for RP-PAM process |
If you continue to experience issues after applying all exclusions, collect the following for Ravenphyre support: 1. RP-PAM logs (see Log Collection) 2. EDR console alerts/detections related to RP-PAM processes or paths 3. EDR policy export showing current exclusions
Next Steps¶
- General Troubleshooting — If issues persist after exclusion configuration
- Support Contact — Contact Ravenphyre support with EDR-specific issues
RP-PAM v1.0.0 — Copyright 2026 Ravenphyre. All rights reserved.