We are announcing the End of Life (EOL) of the optional PDQ Agent beta from our existing products. See this blog post for more information https://www.pdq.com/blog/pdq-agent-status-update/
You have questions regarding the new PDQ Agent.
See below for the FAQ with answers!
Is the Agent Required?
Is the Agent Secure?
What are the Requirements to Use the Agent?
What are the Benefits of the Agent (What Does it Do)?
What Does the Agent Not Do?
How Much Does the Agent Cost (You’ll Like this)?
Does the Agent Work with PDQ Deploy?
How do I Install the Agent?
How does scanning work with the Agent?
1. Is the Agent Required?
No, the Agent is entirely optional. The agent offers some features that are not possible without it (we cover that in another question), but PDQ Inventory will continue to function as it always has.
2. Is the Agent Secure?
Yes. All Agent communications are encrypted (except for two items detailed below). The Server and Agent each generate an RSA asymmetric key pair (4096 bits) and use those to encrypt and sign their payloads to each other. The private keys are encrypted on disk using the same encryption PDQ Inventory uses to store Scan User credentials (the Agent uses DPAPI as an extra layer).The keys never leave the Server or Agent and remain encrypted in memory. PDQ.com is unable to see the contents of Agent payloads because those are encrypted with the public keys and can only be decrypted by the corresponding private keys. Each message sent between the Server and Agent is also signed with the same keys; this ensures that the message is genuine and from the correct system.
There are two items that aren’t encrypted for performance and compatibility reasons.
- The initial connection, or handshake, from the Agent to the Server. This is to ensure forward compatibility and reduce the load on the Server. The only details sent in this message are the version of the Agent, its unique ID and its public key, all items that don’t need to be secured. This does not apply to communication with the PDQ.com server.
- The Installer executable copied from the Server to the Agent for installation. This is sent unencrypted for performance.
All communications with PDQ.com’s servers are over HTTPS (https://agentsapi.pdq.com) in addition to the encryption already described. Internal Agents communicate with your PDQ Inventory Server using the same TCP port as Client consoles, 7337 by default.
- An Enterprise license for PDQ Inventory.
- An instance of PDQ Inventory, version 16 or later, running in Central Server, Server Mode.
- The Agent must be able to reach either your PDQ Inventory Server or PDQ.com’s servers. If you have External Agents, your PDQ Inventory Server must be able to reach PDQ.com’s servers.
- Provide scanning for computers that are outside of your network.
- Provide scanning for computers that have SMB blocked by a firewall.
- Update the Current User field immediately as users log on and off.
- Update the Uptime field as soon as a computer boots back up.
- Keep a log of Events such as Logon, Logoff, Startup, and Shutdown. The Agent sends these as quickly as possible. If the Agent is unable to communicate with any servers, it will store these Events until it is able to communicate again.
- Run a partial scan (Computer Details, Active Directory, and Network Adapters) with every Agent Heartbeat (5 minutes, not currently configurable.)
- Scanner files (EXEs and DLLs) are installed with the Agent, reducing the amount of network traffic used by a scan.
- Deploy edited, or custom packages from your PDQ Server.
- Some features, like the Services and Processes pages and Remote Tools, do not currently work with External Agents.
7. Does the Agent Work with PDQ Deploy?
Yes, as of Deploy 17 you are now able to leverage the PDQ Inventory agent with PDQ Deploy. You can now deploy unedited packages from the package library to external agents.
9. When will I be able to use the Agent to deploy my custom packages to external machines?
We are still investigating the viability of such a feature and the myriad of ways in which it might be implemented. Our current ETA is sometime between now and the eventual heat death of the universe.
10. How do I Install the Agent?
The easiest option for computers that are reachable from PDQ Inventory is to select your targets, then click on the menu option Computer -> Install Agent. For more details please refer to this KB: Installing the PDQ Agent.
11. How does scanning work with the Agent?
Internally: The Server publishes the scan and makes it available to be picked up by the Agent at its next Heartbeat. If the server can access the Agent’s ADMIN$ share (the same share used by non-Agent PDQ Inventory) then the Server triggers an immediate Agent Heartbeat, otherwise the scan will be picked up on the next Agent Heartbeat. The Agent contains the same files as the regular Remote Runner, so the Agent is used preferentially. The Agent runs the scan as soon as it receives the request and pushes the results to the Server as soon as it completes. The Server will verify the signature with the Agent’s public key, decrypt it with the Server’s private key, decompress it, and process it into the database.
Externally: The Server creates a scan request file, compresses it, encrypts it with the Agent’s public key, signs it with the Server’s private key, then uploads it to PDQ.com’s servers. The next time the Agent checks in with PDQ.com’s servers it will download this scan request file, verify the signature with the Server’s public key, decrypt it with the Agent’s private key, decompress it, and then read and execute it. When the scan is complete the Agent packages the scan results into a file, compresses it, encrypts it with the Server’s public key, signs it with the Agent’s private key, then uploads it to PDQ.com’s servers. When the Server checks in with PDQ.com’s servers it will download the scan results file, verify the signature with the Agent’s public key, decrypt it with the Server’s private key, decompress it, and process it into the database.