PDServer™ Remote Agent is designed to offer security and flexibility for remote acquisition and analysis. By default the PDServer™ Remote Agent is intended to be run from a trusted CD, USB Drive or floppy only during Incident Response or active Auditing. Users are provided the option to install the PDServer™ Remote Agent on systems in a "Stealth" mode, but this type of installation should not be left for extended periods of time. Technology Pathways has implemented the following PDServer™ Remote Agent security features to ensure data security and integrity:
The user may elect to have all communications between the host and remote agent be protected by encrypting with 256 bit Twofish encryption. Even if the user chooses to not enable encryption on the data, the password is always encrypted.
The protocol used to establish a session and run all sessions to the remote agent employs Global Unique Identifiers (GUID’s) to insure no other process can insert packets in the data stream. This insures the remote agent will only communicate to one client per session.
The remote agent is password protected to prevent use by unauthorized personnel. The password is always encrypted during the session establishment process, even if the user chooses not to encrypt the session.
The remote agent is intended to be executed from a write protected device such as a CD or floppy so no unauthorized users may alter it.
The PDServer.exe file as well as PARemove.sys device driver have both been digitally signed and are verifiable through the Thawte CA (certificate authority). To verify either file, right-click on the file and choose "digital signatures", highlight the signature and choose "details".
When the remote agent is set to require password authentication the agent will not accept logon request for 5 min when an incorrect password is provided sequentially 5 times.
Should the user elect to pre-install the remote agent, the code has been designed to be safe. The binaries are not capable of writing anything to the disk so a hacker cannot use it to create back-doors or load malicious code on the system. The code has been designed to not have any buffer overflow error conditions and have not found any in our testing.