Frequently Asked Questions

ServerTools is a security scanner that inspects system configurations, registry keys, network services, and checks for known vulnerabilities. These are the same behaviors that antivirus and EDR software look for when detecting malware — so false positives are common with security tools.

This is not unique to ServerTools. Tools like Nmap, Wireshark,Metasploit, and Burp Suite all face the same issue. Any tool that probes system security will overlap with behaviors that AV heuristics flag.

How to whitelist ServerTools on Windows Defender

1. Open Windows Security (search for it in the Start menu).
2. Go to Virus & threat protection.
3. Under “Virus & threat protection settings”, click Manage settings.
4. Scroll down to Exclusions and click Add or remove exclusions.
5. Click Add an exclusion → Folder, then select the directory containing servertools.exe.

PowerShell (run as Administrator)

Add-MpPreference -ExclusionPath "C:\path\to\servertools"

For other antivirus products

The process is similar — add the ServerTools folder or executable to your AV's exclusion or allowlist. Consult your vendor's documentation for the exact steps. If your IT team manages your AV centrally (e.g., via SCCM, Intune, or GPO), ask them to add a policy exclusion.

What exactly triggers the detection?

Common triggers include:

• Registry reads — Checking UAC, LSASS protection, Defender settings, and SMB signing configuration.
• WMI / PowerShell queries — Enumerating services, patches, and system configuration.
• Network probes — Port scanning, banner grabbing, and protocol analysis (these are the core functions of a vulnerability scanner).
• Credential checks — Looking for exposed credentials in GPP, unattend.xml, and cached logons (the scanner reads these files but never transmits data).

ServerTools is a fully offline tool. It does not phone home, upload scan results, or transmit any data. All analysis happens locally on your machine. You can verify this by running it with a network monitor — there are zero outbound connections (except the optional update-check command).

No. ServerTools runs entirely offline. License validation uses Ed25519 cryptographic signatures — your license key contains everything needed to verify authenticity without contacting a server.

The only optional online feature is the servertools update-check command, which checks for new versions. Even this is completely optional and uses a 5-second timeout to avoid blocking you.

ServerTools works without a license key in trial mode. You can run any scanner against any target, but results are limited to 3 findings per scan.

There is no time limit on the trial — use it as long as you need to evaluate the tool. When you purchase a license, all restrictions are removed immediately.

ServerTools ships as a single static binary for 18 platforms:

• Primary: Windows x64, macOS Universal (Intel + Apple Silicon), Linux x64.
• Linux packages: .deb (Debian/Ubuntu), .rpm (RHEL/CentOS/Fedora/SUSE), Alpine (musl).
• ARM: Linux ARM64, Windows ARM64.
• Enterprise Unix: FreeBSD, Solaris (SPARC + x64), AIX, HP-UX.
• Specialty: IBM Z (s390x), IBM Power (PPC64LE), RISC-V, MIPS64.

All platforms are included with every license tier. You download the binary for your platform from the downloads page after purchase.

ServerTools includes 15 dedicated Windows security scanners in the Windows Security category:

• Registry Auditor — UAC, LSASS protection, SMB hardening, Defender config.
• Credential Auditor — Unattend.xml, GPP cpassword, LAPS, cached logons.
• PrivEsc Auditor — Unquoted service paths, DLL hijacking, AlwaysInstallElevated.
• Services Auditor — Dangerous services, Print Spooler, WinRM.
• Firewall Auditor — Profile rules, logging, RDP exposure.
• Event Log Auditor — Audit policy, PowerShell logging, Sysmon, retention.
• Patch Auditor — BlueKeep, Zerologon, PrintNightmare, EternalBlue.
• IIS Auditor — Directory browsing, TLS, app pool identity, WebDAV.
• NTLM Relay Auditor — SMB/LDAP signing, EPA, PetitPotam, PrinterBug.
• ADCS Auditor — ESC1-ESC8 certificate misconfigurations.
• WSUS/SCCM Auditor — Update poisoning, NAA credentials, push abuse.
• Print Spooler Auditor — Point-and-Print restrictions, remote RPC, driver install policies, NTLM relay chain correlation.
• Defender & AV Auditor — Real-time protection, tamper protection, ASR rules, Controlled Folder Access, SmartScreen, signature age, exclusion hygiene.
• Ransomware Readiness Auditor — BitLocker, Volume Shadow Copies, backup detection, admin shares, RDP/NLA, LLMNR/NetBIOS, PowerShell policy.
• Browser & Phishing Auditor — Office macro policy, Protected View, Mark of the Web, browser versions, Windows Script Host, HTA file associations.

These scanners detect real-world attack vectors used in penetration tests and red team operations. They automatically skip on non-Windows systems.

All tiers include full scan results (no trial limits) and all 18 platform binaries.

• Single Tool ($29) — One scanner of your choice. Good for targeted assessments.
• Category Bundle (from $49) — All scanners in one category. Best value for focused teams.
• All Scanners ($199) — Every scanner unlocked. Most popular choice.
• Professional ($349) — All scanners plus cron scheduling and HMAC audit log.
• Enterprise ($599) — Everything plus CERT-In compliance mode, local web dashboard, and PDF/Excel export.

All licenses are lifetime — one payment, no recurring charges, free updates forever.

We offer a 14-day money-back guarantee on all license tiers. No questions asked. Email support@netra.tools with your Order ID and we'll process the refund within 5-7 business days.

See the full Refund Policy for details.