In the early days of viruses and other computer malware, antivirus utilities relied on ever-growing signature databases to identify dangerous files.
Polymorphic malware foiled signatures, so security companies devised heuristic and behavior-based detection methods.
This proliferation of techniques sometimes created very large programs.
Rather than expand to catch every new attack instantly, Webroot SecureAnywhere AntiVirus keeps watch on unknown programs until its brain in the cloud comes to a judgment.
If it's thumbs down, the tiny local program wipes out the attacker and reverses its actions.
It's a very unusual system, but testing proves that it does the job, and does it well.
Price-wise, Webroot runs with the pack.
Like Bitdefender, Kaspersky, and several others, it costs just under $40 for a one-year subscription.
Where a three-license Webroot subscription cost $10 more, the other two ask another $20.
Norton's standalone antivirus doesn't have a multi-license plan, and one license will run you $49.99.
As for McAfee AntiVirus Plus, it costs $59.99 per year, but that subscription gets you unlimited protection for your Windows, macOS, Android, and iOS devices.
As always, you may find any of these prices discounted for the first year, sometimes quite deeply.
You can use your Webroot licenses to install antivirus on both PCs and Macs.
Some components of Webroot SecureAnywhere Antivirus (for Mac), in particular the web-based protection system, are identical on both platforms.
Overall, the two products offer similar security features, though Webroot doesn't go quite as overboard with expert features on the Mac.
Webroot's installer is tiny, less than 4MB, and it installs in a flash.
Immediately on installation, it gets busy with a collection of startup tasks, checking off each one as it finishes.
Among the listed tasks are: scanning for active malware; analyzing installed applications to reduce warnings and prompts; establishing a system baseline; and optimizing performance for your unique system configuration.
Even with these added tasks, the process goes quickly.
The product's appearance hasn't changed appreciably since my last review.
Its green-toned main window features a lighter panel that includes statistics about recent scans and a button to launch an on-demand scan.
Even if you never click that button, Webroot makes a full scan during installation and runs a scheduled scan every day.
A panel at the right manages access to the rest of this product's significant collection of security features.
Lab Test Conundrum
As noted, Webroot handles new, unknown programs by letting them run under strict monitoring.
It prohibits irreversible actions like sending personal data to the internet, and keeps a journal of reversible actions, all while awaiting a verdict from Webroot's cloud analysis system.
If the program under judgment proves to be nasty, Webroot wipes it out and reverses all its changes.
This system just isn't compatible with many independent lab tests.
Labs like AV-Test Institute and AV-Comparatives expect antivirus programs to act right away on malware they recognize, whether detection occurs using signatures, heuristics, or behavioral analysis.
Webroot's relationship with the labs has been rocky, but two of the four that I follow have recently included Webroot in their testing, with decent results.
Lab Test Results Chart
Researchers at MRG-Effitas report on two main tests, one specific to banking Trojans and one aiming to cover the full range of malware types.
Security programs that don't earn near-perfect scores simply fail; these are tough tests.
Webroot passed the banking Trojans test, unlike more than half the products tested.
It earned Level 2 certification in the all-types test.
That second score means that while it didn't immediately prevent all the malware attacks, it remediated them completely within 24 hours.
This test lines up perfectly with Webroot's watch-and-wait system.
SE Labs certifies antivirus products at five levels, AAA, AA, A, B, and C; Webroot earned a B.
My contact at Webroot pointed out that the product scored well at its main task of blocking malware execution, but lost points for its handling of such things as targeted attacks.
He said he'd be pleased with a different scoring system, but felt that Webroot did well overall.
I use an algorithm to derive an aggregate lab score for products tested by at least two labs.
My algorithm maps all results onto a 10-point scale and returns a value from 0 to 10.
Webroot's 7.7 points is decidedly on the low side, but decent considering that it doesn't truly jibe with common testing methods.
It's certainly better than no test results at all, and it passed both tough tests by MRG-Effitas.
As ever, Bitdefender Antivirus Plus and Kaspersky take perfect or near-perfect scores from the labs.
Bitdefender's current aggregate score is 10 points, while Kaspersky, tested by all four labs, has 9.9.
Excellent Malware Protection
For the past few years, Webroot has done very well in my own hands-on malware protection tests, though it handles them differently from most other products.
When I downloaded my folder of samples from Dropbox and opened it, Webroot didn't react immediately, the way many products do.
However, the first sample I launched triggered a kind of chain reaction.
Webroot popped up to report that it had identified malware, and offered to remove it.
After removal, it asked permission to scan the system, to wipe out any remaining malware.
The thought of enduring a full system scan just because of one found threat might alarm you, but it needn't.
I'm not talking the hours-long scan that I measured for Norton, McAfee, Avast, and a few others.
A full scan with Webroot takes from five to seven minutes—not long at all.
At the end of that scan, it removed another group of threats, and asked to scan yet again.
The second scan blew away all the remaining samples, without disturbing a couple dozen legitimate files residing in the same folder.
Once again, Webroot detected 100 percent of the samples and scored 10 of 10 possible points.
Webroot is the first product to eliminate all current samples, from pernicious ransomware to potentially unwanted programs.
Previously the top score was 9.3, shared by Norton, McAfee, Cylance Smart Antivirus($5.99 at Cylance), and F-Secure.
The scan did whack a couple of my hand-coded testing tools, but I can't really blame it.
Here you have a program that's never been seen before by the cloud analysis system, and its purpose is to launch fraudulent URLs.
Suspicious much? I restored my tools from quarantine and proceeded with testing.
Malware Protection Results Chart
Of course, all my preselected samples are veritable antiques to Webroot, seen and known for months.
To get a look at protection against the latest threats, I start with a feed of URLs that researchers at MRG-Effitas recently found to be hosting malware.
Typically, these are no more than a couple days old.
I launch each and note whether the antivirus prevents browser access to the dangerous URL, eliminates the file upon download, or completely fails to notice the malware download.
Of more than 100 validated dangerous URLs, Webroot blocked 51 percent in the browser and wiped out the malware payload of another 29 percent.
With 80 percent protection overall, it's in the lower half of scores for this test, but that's in part because it doesn't bring every resource to examining downloaded files.
Let me explain.
Just to see what would happen, I launched one of the downloaded malware samples.
That's not how this test normally works, but I'm glad I checked.
Webroot detected the sample and launched a scan that eliminated most of the downloaded malware.
The result would have been 97 percent protection, right up there with McAfee and Trend Micro.
Only Norton and Bitdefender, with 99 percent, have done better.
I asked my Webroot contact why the scan at download time seemed less effective than the later scan.
He explained that for efficiency the scan doesn't focus as strongly on files that were merely downloaded but not yet executed.
That's because any such file will get serious scrutiny before it launches.
And indeed, launching just one of those files set off the scan that wiped out all but a few of them.
Phishing Protection Success
There's nothing intrinsically dangerous about a phishing website—no drive-by downloads, malicious scripts, or other active threats, just an inviting imitation of a secure website.
You're perfectly safe, unless you haplessly enter your login credentials on one of these fraudulent sites.
If you do fall for the fraud, though, you've just given away full access to your bank site, shopping site, even dating site.
It's not good.
These fraudulent sites get shut down and blacklisted quickly, but the perpetrators simply pop up another fake and start trolling for victims.
To test an antivirus product's phishing protection, I try to include phishing URLs that are so new there's been no time to analyze and blacklist them.
I launch each URL in a browser protected by the product in question, and simultaneously in browsers relying on the phishing protection built into Chrome, Firefox, and Internet Explorer.
I discard any that fail to load in one or more of the browsers, and any that don't precisely fit the definition of phishing.
Once I have 100 or so data points, I run the numbers.
Phishing Protection Results Chart
Webroot did a very good job detecting and fending off fraudulent sites, significantly better than when last tested.
It blocked 97 percent of the verified frauds, and outperformed all three of the browsers.
A few others have done better recently, in particular Kaspersky Anti-Virus and McAfee with 100 percent protection, but Webroot joins the growing cluster of phishing protectors with scores near the top.
For tips on averting this kind of attack, please read my feature on how to avoid phishing scams.
See How We Test Security Software
Ransomware Experiments
The journal and rollback system that Webroot uses can even roll back the effects of encrypting ransomware, though the company warns that limitations, such as available drive space, can impact this ability.
In truth, it would be very unusual for a ransomware attack to get past all the other layers of protection.
Webroot wiped out all my ransomware samples, most by recognizing them as known bad programs, a few by noticing bad behavior after launch.
I had to scramble to figure out how to test its ransomware protection.
My coding skills are rusty; there's no way I could write a never-before-seen encrypting ransomware specimen, even if I wanted to.
For testing, I wrote a simple-minded ransomware simulator that encrypts all text files in the document folder using reversible XOR encryption.
I had performed this test during my last review, meaning that Webroot would recognize and eliminate the program on launch.
To avert that effect, I modified the program, changing its name, length, and a few non-executable bytes.
The newly disguised program ran unhindered, and I verified that it did encrypt the target files.
In Webroot's Active Processes list, I found the program running in Monitored mode, meaning Webroot was keeping detailed track of its activity.
Rather than waiting for a decision from Webroot's cloud-based brain, I cut to the chase.
In the processes list I blocked the program, confirmed immediate termination, and launched a scan.
The scan removed the file and reversed its actions, restoring the encrypted files, just as I had hoped.
Webroot's monitoring system works with all malware types.
A similar feature in Trend Micro Antivirus+ Security($29.95/Year at Trend Micro Small Business) focuses just on ransomware.
At the first sign of ransomware behavior, it backs up important files.
If its behavioral detection verifies a ransomware attack, it terminates the malware and restores the backed-up files.
That little experiment with a hand-modified version of my file encryptor test inspired me to try testing with a hand-modified version of Cerber, a rather nasty real-world ransomware attack.
The results were rather different.
This time, the modified attack ran to completion, encrypting my documents and displaying its ransom demand.
What happened?
When I shared my experience, my contact at Webroot explained that Cerber uses an unusual technique called "process hollowing," which lets its code run inside an existing trusted process.
Webroot has a defense against this technique in the works, but it won't be released until next year.
He admitted that in a case like this, the "Patient Zero" victim of the first attack could lose files, but Webroot should learn from the attack and protect other users.
Indeed, when I rolled back the virtual machine to a clean state and repeated the test, Webroot wiped out the modified ransomware immediately.
Helpful Firewall
For many security companies, the addition of a personal firewall is one of the features that distinguishes the security suite from the standalone antivirus.
Webroot's antivirus includes a firewall, but it doesn't work quite the same as most.
It makes no attempt to put your system's ports in stealth mode, leaving that task to the built-in Windows Firewall.
That's fine; the built-in does a good job.
Webroot's firewall doesn't attempt to fend off network-based exploits.
When I hit the test system with about 30 exploits generated by the CORE Impact penetration tool, it didn't react.
Since the test system is fully patched, the exploits also didn't have any opportunity to do penetrate and damage it.
Webroot classifies programs as good, bad, or unknown.
Like Symantec Norton AntiVirus Basic, it leaves the good ones alone, eliminates the bad ones, and monitors the unknowns.
As mentioned earlier, if a monitored unknown program tries a non-reversible action like sending your credit card details overseas, Webroot steps in to stop it.
By default, the firewall ups its game when Webroot detects an active infection, which causes the main window to turn from green to dramatic red.
In this mode, any network traffic by unknown programs requires your permission, but normal activities like Web browsing proceed uninterrupted.
If you just love those endless firewall popups, you can tweak the firewall's settings to enable such old-school behavior.
Now you get a warning every time an untrusted program tries Internet access.
You can even go a step farther, setting it to block all access...