There’s a great deal of similarity between most antivirus products. They take about the same amount of time to install, update, and scan. They’re about the same size when it comes to disk space. And they use signature-based malware detection plus some heuristic or behavioral components. Webroot SecureAnywhere AntiVirus (2014) ($39.99 per year, direct) doesn’t fit with the rest at all. It installs in a flash, doesn’t require signature updates, scans much more quickly, and takes a ridiculously small amount of space on disk. On top of that, its unconventional techniques do an impressive protection job.
Like Bitdefender, Norton, Kaspersky, and others, Webroot has dropped version and year numbers from its product names. We’re calling this (2014) to distinguish it from last year’s edition. Visually, it’s quite a change, with a new, streamlined user interface. The real-time protection statistics that filled its main window before have been moved to their own window. Now you see simple stats about recent scans and activities, along with an accordion-style collection of panels that offer quick access to the program’s security components. Unnecessary settings have been removed; expert-only settings have been pushed deeper.
Webroot’s installer is famously tiny; it would fit on a 3.5″ diskette, if you could find one. The installed program is hardly bigger. Launch the installer, insert your keycode, click a button, and it’s off to the races.
The actual installation of the program itself is done in a flash. The installer goes on to perform a number of other tasks. Webroot claims compatibility with virtually every other antivirus, but it does check for incompatible software. It analyzes installed applications, optimizes its configuration for your particular system, and establishes a “system baseline” for reference. Most importantly, it runs a full scan.
The average antivirus takes about 30 minutes to scan my standard clean test system. Webroot does the job in less than five minutes. Installing Webroot and running that scan takes less time than simply installing and updating most antivirus products.
Ransomware on one of my test systems makes the desktop inaccessible, so a normal installation isn’t possible. Webroot tech support guided me to their bootable rescue environment. Unlike most, this isn’t a Linux based antivirus scanner. Rather, at bootup it contacts tech support directly for a remote-control hands-on repair session. The support agent manually modified Registry entries to prevent the ransomware from launching. After that, I had no trouble with installation. Webroot installed without incident on the other eleven test systems.
After every scan that finds and removes malware, Webroot runs another scan to make sure everything has been cleaned thoroughly. It’s actually reassuring, and since the scan is so quick, it’s not a big imposition. Every test system required at least one re-scan after the initial install-time scan found malware. A few needed three or even four scans.
Highly Resistant Malware
On two of the test systems, the scan ended with a note saying the product “detected a significant infection… which requires manual assistance” and advising that I contact tech support. A button on this screen is supposed to go directly to support, though at the time of my testing it didn’t work quite right. But no matter, I contacted support through the website.
The support agent logged in to each infested test system and ran a specialized tool designed to remote the specific virulent file-infector present on each. In both cases, even after several tries, the threat-specific tool failed. Next he tried a cleanup tool from Sophos; Webroot has a deal with Sophos to supply such tools at need. When those tools failed, he tried freely-available threat-specific tools from another vendor. In both cases, the final solution involved much poring over logs, running one-off antivirus scripts, and rebooting.
Webroot installed in a flash and would normally have earned five stars for installation experience. I had to knock off a star for very lengthy tech support sessions required to complete the cleanup process on two of the test systems.
Very Good Malware Cleanup
Despite the two resistant malware samples, Webroot earned a very good malware cleanup score.. It detected 89 percent of the samples, a new high detection rate among products tested with this same malware collection. F-Secure Anti-Virus 2014 and Jumpshot came in second, with 86 percent.
Webroot also has the best removal score among current products, 6.6 points. That honor is shared by F-Secure and Bitdefender Antivirus Plus (2014). For a full explanation of my hands-on malware removal test, see How We Test Malware Blocking.
Webroot SecureAnywhere AntiVirus 2014 malware blocking chart
Webroot and the Labs
While Webroot does use signature-based detection for certain widespread malware, that’s not its main line of defense. Rather, Webroot analyzes hundreds of program traits and behaviors to identify malware, even zero-day, never-before-seen malware. The 2014 edition adds a new technology dubbed Infrared for better protection against zero-days and advanced persistent threats. I can’t say first-hand how that works, not having any APTs handy.
There’s one little problem as far as testing goes. Given Webroot’s reliance on behaviors, it will not necessarily detect a brand-new threat immediately. When it encounters an unknown program it starts journaling that program’s actions. Later on, if the program does something nasty like try to send your credit card number to an IP address in South Sylvania, Webroot can both block the action and roll back everything else the program did.
That’s all very well, but it means that in an independent lab test using static samples, Webroot is bound to do poorly. Even dynamic tests don’t necessarily last long enough to let Webroot’s journaling and rollback system go to work. If an unknown program hasn’t done anything nasty, to Webroot it’s still benign.
Both Symantec and Webroot believe that antivirus testing needs to change, in particular to eliminate static tests. There may be hope. A statement from Webroot reports “The AV-Test team concluded that fully testing our products and measuring how we protect and prevent compromise will require significant changes to their existing tests. They have agreed to pursue the changes to the tests needed. In fact, they will implement these changes and test all AV products using the new tests.” My contacts tell me they are also in discussions with AV-Comparatives.
Until such changes take place, there’s just not enough information to comment on Webroot’s lab test performance. The chart below summarizes recent lab results. To learn more about the labs and their various tests, see How We Interpret Antivirus Lab Tests.
Webroot SecureAnywhere AntiVirus 2014 lab tests chart
Good Malware Blocking, Even So
My malware blocking test includes both static and dynamic elements, so I went in with a feeling that Webroot might not do so well. I was pleasantly surprised to find that it identified and eliminated over 80 percent of my malware samples as soon as I opened the containing folder. Webroot’s limited signature-based detection in the cloud gets credit for those.
I launched the remaining samples and noted Webroot’s behavior. In several cases, it reported an action like a program modifying the Registry bootup area or installing itself to launch at startup. A couple of times it reported that a program “is trying to connect to the Internet and is not trusted.” I had the option to allow once, allow always, or block the action. What to do?
I put this test aside temporarily and installed twenty PCMag utilities. These are valid programs that hook deeply into Windows to accomplish useful tasks. They definitely perform many of the same operations I had seen reported by Webroot, but it didn’t flag these valid programs. On that basis, I decided to always block the reported action.
Even so, Webroot missed a few of the malware samples. I let it run overnight, waiting for the possibility of delayed detection and roll back. Indeed, it caught a couple more in the morning. Overall it detected 91 percent of the samples and scored 8.8 percent. That’s a bit better than Norton AntiVirus (2014)’s 8.5, but, as expected, way below the top scores.
AVG AntiVirus FREE 2014 had the best detection rate of products tested using my current sample set, 97 percent. AVG, F-Secure, and Ad-Aware Free Antivirus+ 10.5 tied for top malware blocking score, at 9.4 points.
For a full run-down on my hands-on malware-blocking test, please read How We Test Malware Blocking.
Webroot SecureAnywhere AntiVirus 2014 malware blocking chart
Working Without a Net
Given the large number of signature-based detections, I felt that I hadn’t really exercised Webroot’s journal-and-rollback features. I took a deep breath and went back for another round of testing with no Internet connetcion.
Even without access to the cloud, Webroot detected 8 percent of the samples on sight. I started launching the rest, with varying degrees of success. Some failed due to their own reliance on an Internet connection. If Webroot reported a suspicious activity, I always chose to block it.
Midway I encountered the ransomware sample, which immediately took over the desktop. I restored the Internet connection but did nothing else. Within a minute, Webroot wiped out the ransomware and got busy rolling back. When it finished after a few scans, I recorded the results.
Things didn’t go quite as well when I went back to test the other half of the samples. I launched them all and then restored connectivity. The system hung (malware overload?) so I forced a reboot. On reboot Webroot did its cleanup job. This time, though, it finished with the “contact support” warning. I was a bit disappointed that the journal-and-rollback system didn’t handle the problem. It took a couple hours for tech support to clean up the problem. I’m told that Webroot development is using this experience to improve the product.
I can’t report a precise detection rate, because some of the malware samples failed not due to Webroot’s efforts but because they require an Internet connection. However, Webroot’s overall malware blocking score in this re-test was nearly identical to what it earned when tested with an Internet connection available.
Webroot’s online protection got a major upgrade with this edition, and it shows. When I attempted to re-download my malware collection, it blocked about 30 percent of the still-valid URLs. However, the real-time shields wiped out all the rest, in a time-frame ranging from mid-download to several minutes after download.
Online protection also works to steer users away from fraudulent (phishing) websites, and in testing it did a fantastic job. In most cases it very specifically identified the URL as fraudulent. For a few, it simply warned that the site looked suspicious, but in all of those cases it was correct, and it didn’t flag any valid sites as suspicious.
Because the available phishing URLs are different every day (even every hour) I report a product’s score compared to Norton’s detection rate against the exact same set of URLs. The vast majority of antisphishing products don’t come close to Norton’s detection rate. Last year, Webroot lagged by 45 percentage points. This time around, its detection rage was 2 points higher than Norton’s. Only Bitdefender and Kaspersky have done better, beating Norton by 3 points. For details on how I obtain the freshest phishing URLs and score this test, see How We Test Antiphishing.
Webroot SecureAnywhere AntiVirus 2014 antiphishing chart
Tough Firewall Helper
Like Trend Micro Titanium Antivirus+ 2014, Webroot includes a firewall component that’s designed to work with the built-in Windows Firewall. The firewall component specifically handles outbound connections, leaving the rest to Windows Firewall.
The test system’s ports were all stealthed and it resisted all the port scans and Web-based attacks I threw at it. That’s not surprising, since Windows Firewall was doing the work.
Many firewalls and firewall components automatically configure Internet permissions for known good programs, eliminate known bad programs completely, and ask the user what to do when they encounter unknowns. Webroot takes a slightly different approach. By default, it will only ask you what to do about unknown programs if the system is infected and hasn’t yet been fully cleaned. If you see a firewall popup from Webroot, blocking access is almost invariably correct.
Leak test programs try to circumvent program control in the same way some malicious programs do. However, they don’t actually do anything malicious, so it’s not surprising that Webroot didn’t block them. The firewall component also doesn’t attempt to block attacks that exploit system vulnerabilities.
One thing you don’t have to worry about is a malicious coder shutting down Webroot’s protection. Any attempt to terminate its single main process is greeted with a CAPTCHA screen, and it doesn’t expose Registry settings that might be tweaked to turn off protection. Its single Windows service can’t be disabled. I emphasize Webroot’s single process and service because it’s unusual. For example, McAfee had 14 distinct services running; I stopped ten and disabled the rest.
Using the Active Processes control, you terminate and block any running process, or put it on Webroot’s monitoring list to watch for bad behavior. The SafeStart Sandbox allows you to run a possibly-risky program while limiting its ability to make permanent changes to your system. Both are intended for use by experts, perhaps by a support technician performing a remote-control diagnostic and cleanup session.
Likewise, you probably shouldn’t attempt Manual Threat Removal on your own. This tool takes the file you’ve identified as dangerous and removes it, along with any associated Registry Entries. As for the Removal Script processor, it requires a specialized repair script written by tech support before it will do anything; it’s not for you.
As for the Advanced Settings, they can make interesting reading. I learned that by default Webroot will “silently and automatically block untrusted access to user data” and “prevent interruption by intelligently suppressing warnings.” Go ahead and look these over, but don’t change a thing.
On the flip side, there are some tools that anybody can use to help clean up after malware has been removed. It’s not uncommon for malware to replace your desktop background or screensaver, and many of them will tweak system settings to make detection and removal more difficult. For example, they may disable access to the Command Prompt, or to REGEDIT. Webroot can restore your wallpaper and screensaver, and also reset many system policies to their defaults.
If you’ve ever tried to reboot into Safe Mode, you know hitting F8 at just the right time can be tough. One of Webroot’s tools will handle rebooting into Safe Mode. Another performs an immediate reboot, in case malware prevents regular system shutdown.
Tiny and Impressive
No other antivirus product comes close to Webroot when it comes to minimizing use of disk space. It’s hard to believe something so tiny can do everything that it does. The independent labs don’t have much to say about it, but in my own testing it did a very good job cleaning up malware-infested systems (with a little help from tech support). The enhanced phishing protection in this edition beat long-time phishing champ Norton.
Webroot treats unknown programs as benign until they actually do something malicious, so it doesn’t necessarily fare well in malware-detection tests. But because it journals all activity by those unknowns, it can roll back every action by a program newly identitied as malicious. I put this feature to the test by cutting Webroot off from its cloud-based detection, launching malware samples, and then restoring the connection. It scored about the same as when it was allowed a continuous Internet connection.
Webroot isn’t like most antivirus products, but different can be good; good enough to merit the designation of Editors’ Choice. Along with Webroot, Norton AntiVirus (2014) and Bitdefender Antivirus Plus (2014) are also Editors’ Choice antivirus tools.
Copyright © 2012 Ziff Davis, Inc