Perfect score in malware protection test. Light on system resources. Good scores in malicious and fraudulent URL tests. Ransomware protection. Fastest scan. Advanced features.
No lab test results.
- Bottom Line
Small, speedy Webroot SecureAnywhere AntiVirus hardly uses any of your system's resources. It aces our hands-on malware protection test, and it can even roll back ransomware activity.
Many antivirus companies have dropped the idea of version updates, or yearly updates, opting instead to continually hone the product's skills and slipstream in new features. Webroot SecureAnywhere AntiVirus has hardly changed visibly since my last review, but as an Editors' Choice it merits a new review, comparing it with all the latest products. It's still a winner.
//Compare Similar Products
Like Bitdefender and Kaspersky, Webroot charges just under $40 for a one-year subscription. But Webroot charges just $10 more for a three-license subscription, while the other two ask $20 more. Norton doesn't have a multi-license plan, and one license will run you $49.99. As for McAfee AntiVirus Plus, it looks like the most expensive, at $59.99 per year, but that subscription gets you unlimited licenses for all your devices.
You can use your Webroot licenses to install antivirus on both PCs and Macs. Webroot SecureAnywhere Antivirus (for Mac) hasn't changed since my review earlier this year. Feel free to read my review of the Mac product for details.
The actual installation of this product takes hardly any time at all. However, the installer performs a raft of other tasks, checking each one off as it finishes. Among these are analyzing installed applications to reduce warnings and prompts, establishing a system baseline; and optimizing performance for your unique system configuration. It also runs an antivirus scan. Even with these added tasks, the process goes quickly.
The green-toned main window features a lighter panel that includes statistics about recent antimalware scans and a button to launch an immediate scan. Even if you never click that button, Webroot makes a full scan during installation and runs a scheduled scan every day. Another sizeable panel offers a link to view the product's User Guide. A panel at the right manages access to the rest of this product's significant feature collection.
Absent Lab Results
Webroot's malware detection system is very different from most competitors. It doesn't use the typical antivirus signature database, but rather works on metadata and behavior patterns. It also calculates a simple numeric hash for each file, and checks its online database to see if that file has already been identified as good, or as bad. After that simple test, it worries only about unknowns.
When an unknown program launches, Webroot monitors it closely, noting its behaviors and journaling its actions. It suppresses actions that aren't reversible, like sending data to an unknown server. And it transmits details about the program's behavior to Webroot's servers for analysis. In some cases, the analysis algorithms kick the program to human malware experts for a deeper dive. If analysis determines that the file is malicious, the local Webroot app kills the process and rolls back its actions.
Webroot's local program is utterly tiny, because most of its intelligence is in the cloud. If you somehow introduce a new file to the system when it's offline, the local heuristic detection system might identify it as malware. Otherwise, Webroot treats it as an unknown, and monitors its behavior. When the system regains its internet connection, the local app checks with the cloud. If the file turns out to be a known good or bad program, it treats it appropriately. If not, it just keeps monitoring until a verdict is reached.
This detection style doesn't fit very well with standard antivirus tests, especially those just using static samples. Even in a test that launches malware for observation, the researchers expect detection right away. As a result, Webroot simply doesn't participate in most independent lab testing. In the past, it did pass the difficult tests performed by MRG-Effitas, and my contacts at the company tell me it will appear in that lab's reports again.
Excellent Malware Protection Scores
With nothing from the labs, my own hands-on tests become more important. To get the ball rolling, I downloaded my current malware collection from Dropbox and extracted the files to a folder on the desktop. This file collection also includes a bunch of old PCMag utilities—valid files that are rarely in the wild. That ensures that an antivirus can't just decree that if a folder contains malware, all files in that folder are malicious.
At this point, Webroot detected and eliminated 54 percent of the samples. This represents all the samples whose hash (a simple numeric fingerprint) was already in Webroot's cloud database.
I maintain a second set of samples, modified by hand. Each modified edition has a different name from the original, and a different size, thanks to zeroes appended at the end. I also reached in to change some non-executable bytes in each. Looking only at the tweaked files corresponding to ones whose original got whacked on sight by Webroot, I found that it missed about a quarter of them. That's quite normal. This little test just checks the flexibility of signature-based detection systems. Trend Micro missed 45 percent of the modified files, and Kaspersky missed 44 percent.
I noticed something weird, though. Looking at the modified files corresponding to the ones Webroot did not eliminate on sight, I found that it wiped the modified versions of almost half. My Webroot contact explained. These hand-modified never-before-seen files could not appear in the database, and their absence was a suspicious circumstance, suggesting the possibility of polymorphic malware. That possibility triggered an extra level of scrutiny.
I proceeded to launch the surviving samples. After each detection, Webroot wanted to run a scan, which would be entirely appropriate in a real-world detection situation. To save time, I had it wait until I had tried all the samples. It caught all of them either at launch or soon thereafter. I also installed all the valid PCMag utilities that I had mixed with the malware samples; Webroot correctly left those alone.
When I did permit it to run a full scan, it took about 15 minutes before reporting the system clean. It then ran another intensive scan, just to be sure. That scan finished in seven minutes. Next, I used my hand-coded analysis tools to verify that there was no trace of any malware. Webroot, like Symantec Norton AntiVirus Basic, detected 100 percent of these samples and earned a perfect 10 points.
For scan speed comparison purposes, I tested again on a completely clean system. This scan, too, finished in seven minutes. That's a bit longer than when I last tested Webroot, but still the fastest full scan among current products. Yes, Malwarebytes 3.0 Premium finished in 2.5 minutes, but its full scan is what others would call a quick scan. The current average is 45 minutes.
It takes me a week or more to gather, select, and analyze a new collection of malware for testing. Those samples remain in use until I can go through the process again, so it's no surprise that many of the files were already in Webroot's database of hashes. My malicious URL blocking test, on the other hand, always uses the very latest files, from a feed supplied by MRG-Effitas. These are typically no older than the previous day.
I work down the list, launching each URL, discarding any that give an error message, or that don't point to an executable malware file. Looking at the valid ones, I note whether the antivirus prevents browser access to the dangerous page, eliminates the malware during or just after download, or does nothing. When I've got 100 data points, I figure that's enough.
Webroot's web protection kicked in to keep the browser from visiting 16 percent of the dangerous URLs, stating that visiting this page could subject you to danger. The real-time antivirus eliminated another 72 percent, for a total of 88 percent protection. That's better than the 84 percent Webroot managed when last tested, but others have done better. Norton tops the list, with 98 percent protection, and Trend Micro Antivirus+ Security is close behind with 97 percent.
The journal and rollback system Webroot uses can even roll back the effects of encrypting ransomware, though the company does warn that limitations such as available drive space can impact this ability. In truth, it would be very unusual for a ransomware attack to get past all the other layers of protection. Webroot wiped out all my ransomware samples, most by recognizing them as known bad programs, a few by noticing bad behavior after launch. So how could I test this product's ransomware protection?
I could, of course, write a brand-new encrypting ransomware specimen for testing. Well, no, I couldn't. I don't have that level of programming skills, and I wouldn't if I could. Instead, I wrote a very simple ransomware simulator. When activated, it finds all the text files in the Documents folder and encrypts them using reversible XOR encryption. I had used this program last time I tested Webroot, so I recompiled it with a few changes, to make sure it wasn't in the Webroot database.
I launched the program and let it do its job, verifying that it encrypted those text files. I opened Webroot's Active Processes list and verified that it marked the fake encryptor as Monitored, meaning that Webroot kept a record of all its actions. I marked it as Blocked, and confirmed that I wanted to kill the program right away. Finally, I ran a scan. The scan correctly returned the encrypted files to their plaintext originals. Nice!
Webroot's monitor works with all malware types. A similar feature in Trend Micro focuses just on ransomware. It kicks in at the first sign of ransomware behavior, backing up the important files ahead of the malware. If its behavioral detection verifies a ransomware attack, it terminates the attacker before it can do any more damage, and then it restores the backed-up files.
Good Protection Against Phishing
Phishing websites are frauds that masquerade as secure sites in order to steal your credentials. PayPal, banks, gaming websites, even dating sites—I've seen them all. Once you fill in your username and password on such a site, your account is pwned.
Of course, these sites quickly get detected and blacklisted, but in the time between a site's appearance and its demise, the perpetrators victimize as many saps as they can. The very best antiphishing tools don't just rely on blacklisting, but they also perform real-time analysis to detect brand-new frauds. Webroot is in the real-time camp. Often, you can see the page start to load, only to be replaced by a page that warns "Phishing attack ahead." A fraud that Webroot detects goes into Webroot's own blacklist, to protect other users that might encounter it.
For this test, I gather URLs that have been reported as fraudulent but not yet blacklisted. Typically, they're no more than a couple of hours old. I try to visit each URL in five browsers simultaneously, one using the product under test, one using Norton, and one apiece relying on protection built into Chrome, Firefox, and Internet Explorer.
Over half of recent products scored lower than at least one of the browsers, and almost one in five displayed worse protection that all three built-ins. Hardly any products beat Norton's detection rate. In my previous test, Webroot edged out Norton's detection rate by 1 percentage point. This time it lagged Norton by 5 points, but that's still a respectable score. Of recent products, only Bitdefender Antivirus Plus and Trend Micro have outscored Norton.
Webroot includes firewall protection, even in the standalone antivirus, but it's not the same as what many others do. This firewall doesn't attempt to put your system's ports in stealth mode; it leaves that task to the built-in Windows Firewall. You'll want to double-check that you have Windows Firewall enabled.
It doesn't attempt to fend off network-based exploits. I hit the test system with about 30 exploits generated by the CORE Impact penetration tool and it did nothing. Since the test system is fully patched, the exploits also didn't do any damage.
Webroot classifies programs as good, bad, or unknown. Like Norton, it leaves the good ones alone, eliminates the bad ones, and monitors the unknowns. As mentioned earlier, if a monitored unknown program tries to exfiltrate your private data, it won't succeed.
The firewall really kicks in when Webroot detects an active infection, which causes the main window to turn from green to dramatic red. At this point, it clamps down on network traffic by unknown programs, without keeping you from normal activities like Web browsing.
If you a glutton for punishment, you can tweak the firewall's settings to enable old-school behavior, where the firewall pops up a warning every time an untrusted program tries Internet access. You can even go a step farther, setting it to block all access for untrusted programs.
One thing's for sure, a malware coder isn't going to disable Webroot's protection. It doesn't expose any settings in the Registry. Its two processes are protected against termination. And I couldn't stop or disable its single Windows service.
There's quite a bit more to Webroot's tool, if you're interested enough to poke around. If you'd rather not, no problem! You don't need to view, use, or configure these expert features at all.
Identity Protection acts to prevent a wide variety of typical malware attacks including man-in-the-middle, browser process modification, and keylogging. It can apply protection to specific applications that you choose; Internet Explorer is on the protected list by default.
A set of antimalware tools lets you repair collateral damage, like malware-modified wallpaper, screensaver, or system policies. You can also use it to quickly reboot into Safe Mode, or to perform an instant reboot. Those with tech skills can manually remove malware, along with its associated Registry data. And if necessary, you can run a removal script created by Webroot tech support.
You can even view all active processes and see which ones Webroot is monitoring. If you really want to see what Webroot is doing, you can open the Reports page and check its current activity, or history. You probably won't want to read the available scan log or threat log, but tech support may ask for them. And hey, Webroot tech support is available 24/7, with call centers in the US, Ireland, and Australia.
There are expert features, and there are beyond-expert features. SafeStart Sandbox is among the latter. If you're a trained antivirus researcher, you can use it to launch a suspect program under detailed limitations that you specify. If you're not, just leave it alone.
Who's the Lightest of Them All?
For years I've referred to Webroot as the smallest, lightest antivirus around. Just what does that mean?
If you open the folder containing a typical antivirus or security suite, you'll find a boatload of files and folders. When I checked, Norton's program folder contained over 1,250 folders and 130 files, and occupies 702MB of disk space. Bitdefender's files and folders didn't take quite as much space on disk, but they ran to more than 4,500 files and 200 folders. And these aren't even among the biggest!
Check Webroot's folder and you'll find exactly one file, WRSA.exe, weighing in at 1MB. Like I said, tiny!
According to Task Manager, Webroot has just two processes, one running in the current user's memory space and one at the system level. The same is true of Norton. But I found 16 active processes for McAfee. Checking Bitdefender in the same way, I found nine active processes
In addition to processes visible in Task Manager, most security utilities rely on one or more Windows Services. I found just one for Webroot and Norton, and three for Kaspersky Anti-Virus. McAfee AntiVirus Plus had 13, almost all of them running, and Bitdefender relied on six.
Just because a product uses a greater number of processes or services doesn't necessarily mean it's using more of your system resources. It's conceivable that a program with just one resource-hungry process could bring your system to a screeching halt. That's conceivable, but not likely. By every measure I've found, Webroot is the lightest of them all.
A Tiny Dynamo
Most of the independent antivirus labs don't quite know what to do with Webroot, as it doesn't jibe with their testing methodologies. However, in my own hands-on testing it proved a big success, with a perfect score for malware protection and very good scores for blocking malicious URLs and phishing sites. I couldn't test it with zero-day ransomware, but its journal-and-rollback system proved effective against my ransomware simulator. For experts, it packs some advanced features into its tiny package. It remains an antivirus Editors' Choice.
Like Webroot, Symantec Norton AntiVirus Basic aced my malware protection test, and beat all others, even full security suites, in my exploit protection test. Kaspersky Anti-Virus and Bitdefender Antivirus Plus routinely earn perfect or near-perfect scores from all four of the antivirus testing labs that I follow, and both include useful bonus features. McAfee AntiVirus Plus doesn't always score quite as high as the others, but it's a fantastic bargain, offering protection for every Windows, macOS, Android, and iOS device in your household. These four are also Editors' Choice antivirus products, each with its own special merits.
Other Webroot Antivirus Software
Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips… More »
More Stories by Neil J.
- Does Windows 10's Security Boost Make Antivirus Obsolete?
Microsoft Windows Defender Security Center gets new features with the Fall Creators Update, but the … More »
- Trend Micro Password Manager
- McAfee AntiVirus Plus