By Neil J. Rubenking
Most people have at least a vague idea of how an antivirus product works.
It calculates some kind of fingerprint of a file, checks that against its list of bad files, and raises the alarm if there’s a match, right? In reality, almost all products use additional layers of security, but they still retain old-school signature-based detection.
The 2016 edition of Webroot SecureAnywhere AntiVirus takes a seriously different approach, one that lets it scan quickly, use a tiny amount of resources, and still offer powerful protection.
In testing, Webroot knocked my socks off.
A one-year subscription costs $39.99, while $49.99 gets you three licenses. Note that you can use these licenses to install protecion on either a PC or a Mac.
The Mac edition is almost identical to the PC version reviewed here.
The green-toned main window is dominated by a lighter panel that includes statistics about recent antimalware scans and a button to launch an immediate scan.
Even if you never click that button, Webroot makes a full scan during installation and runs a scheduled scan every day.
Another sizeable panel touts the Webroot Community forum, with a button to join the discussion.
Access to the rest of this product’s significant feature collection is handled in a panel at the right.
How It Works
Webroot’s cloud-based servers maintain a giant database of known programs, good and bad. Rather than maintain a local database, with all the headaches of keeping it up to date, your local Webroot installation queries that database about the programs it sees.
If the program’s legit, Webroot leaves it alone.
If it’s a known threat, Webroot cleans up its traces.
What about unknown programs? This is where it gets interesting. When Webroot encounters an unknown program, it sends detailed telemetry to HQ for analysis, and starts monitoring that program.
Every action by the suspect gets journaled for possible rollback. Of course, some events can’t be rolled back.
Transmitting data to an outside source is one example. Webroot doesn’t let an unknown program perform that sort of action. Yes, that means a valid unknown program might not be fully functional for a while, but in truth, valid programs almost never spend time in monitoring limbo.
In some cases, correlation rules let the server match the unknown app to an existing threat, resulting in a real-time response.
In others, teams of human researchers around the globe dig into the unknown file.
According to my Webroot contact, a weekly internal report shows that human analysis averages between 45 and 90 minutes.
Once the program has been analyzed, the server notifies your local Webroot antivirus.
If the program turns out to be legit, its probation ends.
If not, Webroot terminates the program and reverses all of its actions.
And if another user encounters that same now-known threat, Webroot can smack it down right away.
Of course, if you lose Internet connectivity Webroot can no longer contact its cloud server.
But it already knows which of your existing programs are trusted, so there’s no problem with them.
In this mode, every program that hasn’t launched on your PC before get treated as an unknown. When the connection is restored, Webroot checks in with the server, releasing programs that proved to be trusted and rolling back any malicious ones.
In any case, with no Internet connection you’re much less likely to encounter new malware.
One more thing.
At present, the Mac edition doesn’t use this journaling and rollback technique. My Webroot contact explained that they haven’t seen a need for it, but that it could be added if it becomes necessary.
Malware Testing DilemmaThis delayed-action response is a clever way to deal with never-before-seen malware, but it just doesn’t jibe with current antivirus tests. Researchers expect the antivirus products to take action right away, blocking installation of new malware samples and cleaning up any existing infestations.
They may allow a few minutes to be sure the antivirus has finished.
But Webroot’s analysis can take quite a bit longer.
So what if it completely reverses the malware activity after an hour.
At that point, it has already been marked as a failure.
Due to this incompatibility, I have no results to report from my usual group of antivirus testing labs.
I do note that London-based MRG Effitas includes Webroot in its regular testing.
In a recent certification test Webroot received Level 2 certification.
That means that although some of the malware samples did run, their effects were completely remediated on or before the next reboot. Only Kaspersky Anti-Virus (2016) received Level 1 certification, meaning none of the samples even got a foothold.
Banks look to this lab’s results to make sure their customers can make an informed choice of antivirus protection.
In another certification test for financial malware protection, only Webroot, Kaspersky, and two others passed.
The other 14, including many well-known names, failed to achieve certification.
Going forward, I’ll consider including these tests along with the others that I aggregate into the lab results score.
Thorough Malware BlockingWebroot’s installer is tiny, less than a megabyte, and the full installation takes little more than that much space on disk.
The installer performs a variety of optimization and configuration tasks, including a scan for malware. Most products couldn’t swing that, but Webroot’s scan takes just three or four minutes.
That’s quite a contrast with the current average, which is closer to 45 minutes.
After any scan that detects and cleans up malware, Webroot scans again, just to be sure everything is clean now.
When I opened the folder containing my collection of malware samples, Webroot didn’t react immediately, but moving them to a new folder got its attention.
It detected and removed some of the samples, displaying a transient notification of its actions.
After a short while, the main window turned red and displayed a list of other samples.
It requested a scan to remove those. On completion, it rescanned and found some more.
A third scan came up clean.
At this point, every single sample was gone from the folder, but all of the legitimate files that I store alongside the samples were intact.
That’s 100 percent detection and a perfect 10 for malware blocking, the same score Webroot received the last time I tested it.
Avira Antivirus 2016 is the only other product that’s been tested using this very new sample set.
It managed 94 percent detection, which is pretty good, but because it allowed the samples to install quite a few executable traces, it only scored 8.5 overall.
It’s not entirely fair to compare test results that used different sample sets.
I’ll just point out that the top score among products tested with the previous set was 9.3 points, shared by Bitdefender Antivirus Plus 2016and Avast Pro Antivirus 2016.
As always, I keep a second folder containing hand-modified versions of my samples.
I change the name, append nulls to change the length, and tweak some non-executable bytes. Normally all I do is note whether an antivirus misses the tweaked versions of files whose untweaked versions it caught.
Since Webroot eliminated all of my regular samples, I got no chance to see how it handles unknown files.
So, contrary to my usual style, I tried launching the tweaked versions.
Webroot wiped out 40 percent of the samples right away, which left me with plenty for experimentation. Webroot blocked some of the samples when I launched them, and requested a cleanup scan for others, but it let quite a few of them run, while monitoring them as untrusted.
By the time I worked through them all, though, they had all been identified as malicious. Webroot requested a scan, and another, and another.
After the third scan, all of the modified samples were gone.
Just as Webroot’s database tracks bad files, it also notes dangerous websites.
Its browser extension supports Chrome, Firefox, and Internet Explorer, and serves to keep you from accidentally surfing to a dangerous website.
To test this feature, I tried to navigate to 100 newly discovered malware-hosting URLs. Webroot blocked 84 percent of the dangerous downloads, some by steering the browser away from the URL, others by immediately quarantining the payload.
That’s pretty good, but I tested Avast simultaneously using the same list of URLs, and it blocked 99 percent, all at the URL level. On the downside, Avast supports just Chrome and Firefox, not Internet Explorer.
Before Avast took over the malicious URL blocking crown, the best score was 91 percent protection. McAfee AntiVirus Plus (2016) and Symantec Norton Security Premium shared that score.
See How We Test Malware Blocking
Excellent AntiphishingPhishing websites are frauds that masquerade as secure sites in order to steal your credentials. PayPal, banks, gaming websites, even dating sites—I’ve seen them all. Once you fill in your username and password on such a site, your account is pwned.
Of course, these sites quickly get detected and blacklisted, but in the time between a site’s appearance and its demise, the perpetrators victimize as many saps as they can.
The very best antiphishing tools don’t just rely on blacklisting, but also perform real-time analysis to detect brand-new frauds. Webroot is clearly in the real-time camp. You can see the page start to load, only to be replaced by a page that warns “Phishing attack ahead.”
For this test, I gather URLs that have been reported as fraudulent but not yet blacklisted.
Typically they’re no more than a couple of hours old.
I try to visit each URL in five browsers simultaneously, one using the product under test, one using Norton, and one apiece relying on protection built into Chrome, Firefox, and Internet Explorer.
Almost two-thirds of recent products scored lower than at least one of the browsers, and over a quarter of them displayed worse protection that all three built-ins. Hardly any products beat Norton’s detection rate, but Webroot managed to do so, by 1 percent.
The only other recent product to beat Norton was Bitdefender, by 2 percent.
See How We Test Antiphishing
Ransomware Adventure Webroot’s journaling and rollback feature should be able to recover from almost any attack, even encrypting ransomware.
In fact, the company devoted quite a bit of developer energy specifically to the ransomware problems.
At Webroot HQ last year, I saw a live demo of the recovery process.
That was impressive, but how much more so if I could demonstrate it for myself.
I started off using one of my new malware samples, a nasty encrypting ransomware attack.
I had to cut off the test system’s Internet connection, because otherwise Webroot wiped out the sample before I could try anything.
Alas, although the attacker displayed its ransom message, it did not actually encrypt any files, no matter how I tried. Quite possibly it’s smart enough to refrain from chicanery when it detects an antivirus present.
So, I created a simple program to simulate an encrypting malware attack. My little program finds all the text files in and below a specific folder and encrypts them using simple-minded XOR encryption.
The nice thing about using XOR encryption is that the same function decrypts the file, so a second run of the program puts things back to normal.
I added some suspicious-looking behaviors, such as setting itself to launch at startup, things that would get it flagged as untrusted.
And I turned it loose on my test system.
This program was the ultimate unknown—never seen by anyone before until I compiled it. Webroot naturally started monitoring its behavior.
I verified that the files had indeed been encrypted.
Then I used Webroot’s process list to manually block the program. Webroot terminated it immediately, and a scan restored the encrypted files. What fun!
Firewall Bonus Webroot includes firewall protection, even in the standalone antivirus, but it’s not the same as what many others do.
This firewall doesn’t attempt to put your system’s ports in stealth mode; it leaves that task to the built-in Windows Firewall. You’ll want to double-check that Windows Firewall is turned on.
It doesn’t attempt to fend off network-based exploits.
I hit the test system with about 30 exploits generated by the CORE Impact penetration tool and, indeed, it didn’t interfere with them.
Since the test system is fully patched, the exploits also didn’t do any actual damage.
As noted, Webroot classifies programs as good, bad, or unknown. Like Norton, it leaves the good ones alone, eliminates the bad ones, and monitors the unknowns.
As mentioned earlier, if an unknown program tries to exfiltrate your private data while it’s being monitored, it won’t succeed.
The firewall really kicks in when Webroot detects an active infection, which causes the main window to turn from green to dramatic red.
At this point, it clamps down on network traffic by unknown programs, without keeping you from normal activities like Web browsing.
If you want the old-school behavior, where the firewall pops up a warning every time an untrusted program tries Internet access, you can tweak the firewall’s settings. You can even go a step farther, setting it to block all access for untrusted programs.
One thing’s for sure, a malware coder isn’t going to disable Webroot’s protection.
It doesn’t expose any settings in the Registry.
Its two processes are protected against termination.
And I couldn’t stop or disable its single Windows service.
Advanced FeaturesThere’s actually quite a bit more to this tool, if you’re interested enough to poke around.
If you’d rather not, no problem! You don’t need to view, use, or configure these advanced features at all.
Identity Protection acts to prevent a wide variety of typical malware attacks including main-in-the-middle, browser process modification, and keylogging.
It can apply protection to specific applications that you choose; Internet Explorer is on the protected list by default.
A set of antimalware tools lets you repair collateral damage, like malware-modified wallpaper, screensaver, or system policies. You can also use it to quickly reboot into Safe Mode, or perform an instant reboot.
Those with tech skills can manually remove malware, along with its associated Registry data.
And if necessary, you can run a removal script created by Webroot tech support.
If you really want to see what Webroot is doing, you can open the Reports page and check its current activity, or history. You probably won’t want to read the available scan log or threat log, but tech support may ask for them. You can even view all active processes and see which ones Webroot is monitoring.
There are advanced features, and there are really advanced features.
SafeStart Sandbox is among the latter.
If you’re a trained antivirus researcher, you can use it to launch a suspect program under detailed limitations that you specify.
If you’re not, just leave it alone.
Still a WinnerIt’s been a while since I put Webroot SecureAnywhere AntiVirus to the test.
I’m happy to say that it’s still a winner in my testing, even though the antivirus testing labs mostly can’t handle it.
In my malware-blocking, antiphishing, and malicious URL blocking tests, its scores were perfect, excellent, and very good, respectively.
Webroot remains an Editors’ Choice for commercial antivirus.
It shares that honor with Bitdefender Antivirus Plus 2016, Kaspersky Anti-Virus (2016), and McAfee AntiVirus Plus (2016).