You have questions regarding the new PDQ Agent.
See below for the FAQ with answers!
Is the Agent Required?
Is the Agent Secure?
What are the Requirements to Use the Agent?
What are the Benefits of the Agent (What Does it Do)?
What Does the Agent Not Do?
How Much Does the Agent Cost (You’ll Like this)?
Does the Agent Work with PDQ Deploy?
How do I Install the Agent?
How does scanning work with the Agent?
1. Is the Agent Required?
No, the Agent is entirely optional. The agent offers some features that are not possible without it (we cover that in another question), but PDQ Inventory will continue to function as it always has.
2. Is the Agent Secure?
Yes. All Agent communications are encrypted (except for two items detailed below). The Server and Agent each generate an RSA asymmetric key pair (4096 bits) and use those to encrypt and sign their payloads to each other. The private keys are encrypted on disk using the same encryption PDQ Inventory uses to store Scan User credentials (the Agent uses DPAPI as an extra layer).The keys never leave the Server or Agent and remain encrypted in memory. PDQ.com is unable to see the contents of Agent payloads because those are encrypted with the public keys and can only be decrypted by the corresponding private keys. Each message sent between the Server and Agent is also signed with the same keys; this ensures that the message is genuine and from the correct system.
There are two items that aren’t encrypted for performance and compatibility reasons.
All communications with PDQ.com’s servers are over HTTPS (https://agentsapi.pdq.com) in addition to the encryption already described. Internal Agents communicate with your PDQ Inventory Server using the same TCP port as Client consoles, 7337 by default.
8. How do I Install the Agent?
The easiest option for computers that are reachable from PDQ Inventory is to select your targets, then click on the menu option Computer -> Install Agent. For more details please refer to this KB: Installing the PDQ Agent.
9. How does scanning work with the Agent?
Internally: The Server publishes the scan and makes it available to be picked up by the Agent at its next Heartbeat. If the server can access the Agent’s ADMIN$ share (the same share used by non-Agent PDQ Inventory) then the Server triggers an immediate Agent Heartbeat, otherwise the scan will be picked up on the next Agent Heartbeat. The Agent contains the same files as the regular Remote Runner, so the Agent is used preferentially. The Agent runs the scan as soon as it receives the request and pushes the results to the Server as soon as it completes. The Server will verify the signature with the Agent’s public key, decrypt it with the Server’s private key, decompress it, and process it into the database.
Externally: The Server creates a scan request file, compresses it, encrypts it with the Agent’s public key, signs it with the Server’s private key, then uploads it to PDQ.com’s servers. The next time the Agent checks in with PDQ.com’s servers it will download this scan request file, verify the signature with the Server’s public key, decrypt it with the Agent’s private key, decompress it, and then read and execute it. When the scan is complete the Agent packages the scan results into a file, compresses it, encrypts it with the Server’s public key, signs it with the Agent’s private key, then uploads it to PDQ.com’s servers. When the Server checks in with PDQ.com’s servers it will download the scan results file, verify the signature with the Agent’s public key, decrypt it with the Server’s private key, decompress it, and process it into the database.