There are many ways an antivirus program can detect the presence of malware, ranging from simple signature-based detection to elaborate behavior analysis schemes. Webroot AntiVirus takes a slightly different approach from most. It does wipe out malware that it recognizes, and it greenlights known good programs. But any program that’s unknown runs in a bubble, with no ability to permanently modify the protected system, while Webroot’s cloud-based analytics determine its fate. If it’s malicious, the tiny local Webroot program wipes out the attacker and reverses its actions. Keeping the brains in the cloud makes Webroot amazingly small and fast.
While we still have a positive impression of Webroot, we’re no longer naming it an Editors’ Choice winner as we have in the past. Two products retain the Editors’ Choice imprimatur in the antivirus realm, Bitdefender Antivirus Plus and McAfee AntiVirus Plus. Bitdefender aces independent lab tests and boasts more features than some suites. McAfee doesn’t always score as high, but a single subscription protects all your devices.
Like Bitdefender, Kaspersky, and several others, Webroot costs $39.99 for a one-year subscription. When last reviewed, it also offered three licenses for $49.99, but at present, there’s no volume discount at all. As with Trend Micro, if you want more licenses you must upgrade to the next-higher product, or just pay the full price multiple times.
Along with the simplified pricing, Webroot has dropped the word “SecureAnywhere” from official product names. You’ll still see it in plenty of places, including the application’s main window, but the official name is now just Webroot AntiVirus.
A one-license subscription to Norton’s standalone antivirus runs you $59.99. Previously that was the only price, but by observation, Norton now offers a five-license pack at $84.99 per year, As for McAfee AntiVirus Plus, it costs $64.99 per year, but that subscription gets you unlimited protection for your Windows, macOS, Android, iOS, and even ChromeOS devices. As always, you may find any of these prices discounted for the first year, sometimes quite deeply.
You can use your Webroot license to install antivirus on either a PC or a Mac. Some components of Webroot AntiVirus for Mac, in particular the web-based protection system, are identical on both platforms. Overall, the two editions offer similar security features, though Webroot doesn’t go quite as overboard with expert features on the Mac.
Webroot’s installer is tiny, less than 6MB, and it installs in a flash. Immediately on installation, it busies itself with a collection of startup tasks, checking off each one as it finishes. Among the listed tasks are: scanning for active malware; analyzing installed applications to reduce warnings and prompts; establishing a system baseline; and optimizing performance for your unique system configuration. Even with these added tasks, the process goes quickly.
The product’s appearance hasn’t changed appreciably in quite a while. Its green-toned main window features a lighter panel that includes statistics about recent scans and a button to launch an on-demand scan. Even if you never click that button, Webroot makes a full scan during installation and runs a scheduled scan every day. A panel at the right manages access to the rest of this product’s collection of security features.
As part of getting started with Webroot, you’ll set up a profile online. The process has a strong emphasis on security. I don’t always use the strongest passwords for profiles used in testing, since they’re only needed for the duration of the test. But Webroot required a truly strong password and wouldn’t accept anything less. It used to require a secondary security code that you enter in an unusual fashion. Each time you’d log in to the online profile, it would demand two specific characters from that security code, different each time. It might ask for the second and fourth characters on one visit, and the sixth and seventh on another. That odd system has been replaced by a standard CAPTCHA.
You can further enhance your security by protecting your account with multi-factor authentication. Previously you’d set up MFA by scanning a QR code with Google Authenticator or a workalike. Alas, Webroot has switched to using less-secure SMS-based authentication.
Another disappointment is the removal of Webroot’s impressive monitoring and remote-control system. Previously you could log into your account and view the status of all your Webroot installations, even the details of their latest scans. What’s more, from the console you could launch a scan remotely. You could also lock, shut down, or restart the device. Think how convenient it would be to manage your tech-challenged relative’s protection remotely, without having to drive across town. Alas, this feature is simply gone.
As noted, Webroot handles new, unknown programs by letting them run under strict monitoring. It prohibits irreversible actions like sending personal data to the internet, and keeps a journal of reversible actions, all while awaiting a verdict from Webroot’s cloud analysis system. If the program under judgment proves to be nasty, Webroot wipes it out and reverses all its journaled changes.
This system just isn’t compatible with many independent lab tests. Labs like AV-Test Institute and AV-Comparatives expect antivirus programs to act right away on malware they recognize, whether detection occurs using signatures, heuristics, or behavioral analysis. Webroot’s relationship with the labs has been rocky. Just one of the four that I follow has recently included Webroot in testing.
Researchers at MRG-Effitas report on two main tests, one specific to banking Trojans and one aiming to cover the full range of malware types. Security programs that don’t earn near-perfect scores simply fail; these are tough tests. Webroot used to do particularly well in the all-types test, which offers certification to products that remediate all malware attacks within 24 hours. That sort of test would align well with Webroot’s journal-and-rollback system. Unfortunately, it’s been some years since Webroot participated.
Researchers at SE Labs use a capture and replay system to package up real-world malware attacks and unleash them on multiple antivirus products simultaneously. This lab certifies antivirus products at five levels, AAA, AA, A, B, and C; Webroot earned a respectable AA certification. To be fair, all but one of the tested products came in at either the AAA or AA level. The odd man out was Malwarebytes Premium, which earned a B. Like Webroot, Malwarebytes doesn’t always align well with standard testing methods.
I use an algorithm to derive an aggregate lab score for products tested by at least two labs. With just one result, Webroot doesn’t have an aggregate score. Bitdefender Antivirus Plus epitomizes lab test perfection, with the maximum possible scores from all four labs. Tested by three labs, Kaspersky’s aggregate score is an impressive 9.8, with McAfee and Norton close behind at 9.7.
For some years now, Webroot has scored high in my own hands-on malware protection tests. This time around it still did very well, but not quite up to previous standards.
Simply opening a folder of malware samples wasn’t enough to trigger its real-time detection, but moving the samples to a new folder got its attention. It handled detected samples in three waves. About 30% went quietly to quarantine. For another 25%, Webroot asked to go through a disinfection procedure. And that procedure turned up another 6% of samples, for a total of 61% caught right away. That doesn’t sound like a lot, but remember that Webroot’s detection system centers on malware behavior, not on simple recognition. With that in mind, 61% caught before even launching is darn good.
I maintain a second set of samples that I’ve tweaked by hand, changing the filename, file size, and some non-executable bytes. The initial round of real-time detection didn’t eliminate any of these. That’s not terribly surprising given that the hand-tweaked files have never been seen before. I did find it odd that none of my ransomware samples fell to Webroot’s initial detection.
As always, I continued this test by launching any samples that survived the initial culling and recording how Webroot handled them. It caught all the ransomware samples at this stage, and quite a few other samples. However, several managed to plant executable files on the test system. After each malware removal event, Webroot asked to scan the system again to make sure it left no traces behind. The repeated scans would have been tedious, but fortunately each repetition only took a few minutes.
Overall, Webroot detected 95% of the samples and scored 9.5 of 10 possible points. When tested with my previous collection of malware samples, Webroot did better, 98% detection and 9.7 points. However, its current score is the best of the six products tested with my latest sample set.
Webroot’s scan also put a couple of my hand-coded testing tools in quarantine, but I can’t really blame it. Consider a program that’s never been seen before by the cloud analysis system, whose purpose is to launch fraudulent URLs. Suspicious much? I restored my tools from quarantine and proceeded with testing.
I use the same set of curated samples for months, because the collection process itself takes weeks. To get a look at protection against the most current threats, I start with a feed of URLs that researchers at MRG-Effitas recently found to be hosting malware. Typically, these are no more than a couple of days old. I launch each and note whether the antivirus prevents browser access to the dangerous URL, eliminates the file upon download, or completely fails to notice the malware download.
Of 100 validated dangerous URLs, Webroot blocked 64% in the browser and wiped out the malware payload of another 29%, for a total of 93% protection. Interestingly, when I tried to launch the surviving verified malware samples, Webroot caught them all. Note, though, that launching the samples is not actually part of this test.
Webroot’s 93% is a decent score, but ten competing products have done better, and five of those (McAfee, Norton, Sophos Home Premium, Trend Micro, and ZoneAlarm) scored a perfect 100%. Yes, each product gets hit with a different selection of malware-hosting URLs, but they’re always the most recent ones.
There’s nothing innately dangerous about a phishing website—no drive-by downloads, malicious scripts, or other active threats, just an inviting imitation of a secure website. You’re perfectly safe if you’re astute enough to recognize and avoid the fraudulent page. But woe betides the careless web surfer who enters login credentials on one of these fraudulent sites. If you fall for the fraud, you’ve just given away full access to your bank site, shopping site, or even dating site. It’s not good.
These fraudulent sites get shut down and blacklisted quickly, but the perpetrators simply pop up another fake and start trolling for new victims. To test an antivirus product’s phishing protection, I try for an even split between verified phishing URLs and reported frauds that are so new there’s been no time to analyze and blacklist them. I launch each URL in a browser protected by the product in question, and simultaneously in browsers relying on the phishing protection built into Chrome, Edge, and Firefox. I discard any that fail to load in one or more of the browsers, and any that don’t precisely fit the definition of phishing. Once I have enough data points, I run the numbers.
When last tested, Webroot blocked 99% of the verified frauds and outperformed all three of the browsers. This time around, it only detected 93%. While it beat Edge handily, it lagged behind both Chrome and Firefox. In their own latest tests, Avast, Trend Micro, and ZoneAlarm all detected 100% of the phishing frauds.
Phishing is totally platform independent. If your smart fridge includes a full-scale browser, you can get scammed while making a shopping list. Phishing protection, though, can vary by platform. In the past, I’ve frequently seen situations where a company’s Windows product outperformed its macOS product in the same test. With Webroot, the Windows and Mac products scored in lockstep, achieving identical results.
The journal and rollback system that Webroot uses should even roll back the effects of encrypting ransomware, though the company warns that limitations, such as available drive space, can impact this ability. In truth, it would be very unusual for a ransomware attack to get past all the other layers of protection. Because Webroot wiped out all my ransomware samples the moment they launched, I had to scramble to figure out how to test its ransomware protection.
My coding skills are rusty; there’s no way I could write a never-before-seen encrypting ransomware specimen, even if I wanted to. For testing, I wrote a simple-minded ransomware simulator that encrypts all text files in the document folder using reversible XOR encryption.
The program ran unhindered, and I verified that it did encrypt the target files. In Webroot’s Active Processes list, I found the program running in Monitored mode, meaning Webroot was keeping detailed track of its activity. Rather than waiting for a decision from Webroot’s cloud-based brain, I cut to the chase. In the processes list I blocked the program, confirmed immediate termination, and launched a scan. The scan removed the file and reversed its actions, restoring the encrypted files, just as I had hoped.
Webroot’s monitoring system works with all malware types. A similar feature in Trend Micro Antivirus+ Security focuses just on ransomware. At the first sign of ransomware behavior, it backs up important files. If its behavioral detection verifies a ransomware attack, it terminates the malware and restores the backed-up files.
Next, I tested Webroot using hand-modified versions of my actual file-encrypting malware samples. As I noted earlier, the real-time scanner didn’t detect any of these. Out of a dozen samples, three didn’t launch and four launched but didn’t perform any encryption. Only four of the samples performed the nefarious task of encrypting files. Webroot didn’t stop them, though it warned that two were attempting to launch at startup.
As with my simple-minded sample, I forced Webroot’s hand by switching the status of each functional ransomware sample to Block and running a cleanup scan. Webroot didn’t delete any ransom notes, nor did it delete the encrypted files, but in three cases it did restore clean versions of all the damaged files. As for the fourth, it failed to recover hundreds of files, most of them executable files.
If you’ve been counting, you’ll realize that I’ve only reported on 11 of the 12 samples. The last one is a rare whole-disk encrypting attacker, and my hand-tweaked version completely defeated Webroot. It simulated a crash, rebooted, and claimed to be restoring the drive. In reality, it encrypted the whole drive and then displayed a garish skull image with its ransom demand. Good thing this was a virtual machine!
With this test, I attempted to simulate what would happen if you got hit by a ransomware sample that Webroot’s analysis system had never seen before. What would happen isn’t great, with one total failure and one partial failure. Fortunately, unknowns quickly become known. When I tried to launch the same hand-modified samples a day later, Webroot eliminated most of them immediately.
For many security companies, the addition of a personal firewall is one of the features that distinguishes the security suite from the standalone antivirus. Webroot’s antivirus includes a firewall, but it doesn’t work quite the same as most. It makes no attempt to put your system’s ports in stealth mode, leaving that task to the built-in Windows Firewall. That’s fine; the built-in does a good job. The only time a firewall’s stealth abilities matter is if they take over from Windows Firewall and don’t do a proper job.
Webroot classifies programs as good, bad, or unknown. Like Norton AntiVirus Plus, it leaves the good ones alone, eliminates the bad ones, and monitors the unknowns. As mentioned earlier, if a monitored unknown program tries a non-reversible action like sending your credit card details overseas, Webroot prevents it.
By default, the firewall ups its game when Webroot detects an active infection, which causes the main window to turn from green to dramatic red. In this mode, any network traffic by unknown programs requires your permission, but normal activities like Web browsing proceed uninterrupted.
The firewall has two other program control modes. You can set it to require confirmation for internet access by untrusted programs even when there’s not an active infection. Or you can crank it up so that every access attempt requires confirmation unless you’ve given the program permission.
When I tried to test this feature for my previous review, I found that it just didn’t work. My Webroot contacts verified that indeed that feature was not working, and promised a fix in two to three weeks. At the time I wrote this current review, it seemed to be still broken, so I asked Webroot to confirm, but got no response. Now, about two weeks after that query, my Webroot contact showed me how to confirm that the firewall isn’t broken.
Every program that’s present on your system at Webroot’s installation is considered trusted, so I had to test using a new hand-tweaked variation of a tiny browser I wrote myself. Webroot allowed this program to access the internet even when set to block untrusted programs. It turns out that Webroot’s analysis identified this modified program as a variation on other programs it had seen in the past and therefore considered it trusted.
When I created a new never-before-seen variant and set the firewall to warn about all programs except those explicitly permitted, I did manage to see this feature in action. My contact noted that regular users never invoke the higher levels of program control, and that these settings may be removed going forward.
Even when it’s working, firewall protection means bubkes if a malware coder can reach in and turn it off. The more processes and services a security tool contains, the more opportunities for such chicanery. With three services, two processes, and no settings exposed in the Registry, Webroot has a very small attack surface. My every attempt to halt its protection resulted in an ignominious “Access Denied” message.
Like most modern antivirus utilities, Webroot works fine even if you totally ignore it. Out of the box, it’s configured for maximum protection, and if you don’t make any changes, it runs a scan every day. What more could you want? It turns out that there’s a ton more to discover under the surface, for those who dare.
Clicking the settings gear next to Identity Protection on the main window brings up a page with controls that toggle what it calls Phishing Shield and Identity Shield. The rest of the page displays a laundry list of just what these shields involve. They aim to fend off a wide variety of typical malware attacks including man-in-the-middle, browser process modification, and keylogging.
Identity Shield and Phishing Shield appear on the Online Protection page under Identity Protection. The adjacent Application Protection page lists apps that get special attention from Webroot. Specifically, it aims to ensure that your personal information can’t be extracted from these programs. When I last tested the product, it populated the list with Chrome, Internet Explorer, and Firefox. This time around, the list was initially empty.
Fortunately, you can add programs to the list for protection. Edge seemed like an obvious choice, though finding the proper EXE file was a challenge. Most users won’t dig into these settings and hence won’t get any benefit from this feature. Those who try to activate it manually may find the process too difficult. Why couldn’t Webroot offer a simple list of applications rather than forcing the user to wade through the file system?
Clicking the gear icon next to Utilities reveals a set of antimalware tools that let you repair damage left behind after malware remediation, things like malware-modified desktop background, screensaver, or system policies. You can also use it to quickly reboot into Safe Mode, or to perform an instant reboot. Those with the necessary skills can use another tool to manually remove any program, along with its associated Registry data. Even if you claim no tech skills yourself, you can run a removal script created by Webroot tech support.
If you really want to see what Webroot has been doing, open the Reports page and check its current or historical activity. You probably won’t want to read the available scan log or threat log, but tech support might well ask for them.
The System Control page is where you find the Active Processes list, which shows all running processes and flags those that are under monitoring by Webroot. Also on this page is the SafeStart Sandbox. There are features for experts, and features for professionals. SafeStart Sandbox is among the latter. If you’re a trained antivirus researcher, you can use it to launch a suspect program under detailed limitations that you specify. If you’re not, just leave it alone. I don’t even use that one myself.
The unusual journal-and-rollback system used by Webroot AntiVirus doesn’t jibe with the testing methods used by many of the independent testing labs, though it received a high score in one recent test. In our hands-on phishing test, it earned a good score but not the near-perfect score from its previous test. Results in our malware protection and malicious URL blocking tests were also slightly down from previous highs.
The impressive and useful ability to remotely monitor and control your Webroot installations is gone. Ransomware protection proved porous in testing. For these and many smaller issues, we no longer consider Webroot an Editors’ Choice winner. It’s still excellent in many ways, and it remains the smallest and fastest antivirus around, but instead of evolving and improving, it seems to be edging downhill.
Bitdefender Antivirus Plus currently holds perfect scores in tests from four independent antivirus labs, and it’s packed with so many useful features it could almost be a security suite. McAfee AntiVirus Plus doesn’t always score as high in lab tests or our own tests, but it’s a bargain, offering protection for every Windows, macOS, Android, iOS, and ChromeOS device in your household. These two are our Editors’ Choice antivirus products, each with its own special merits.
When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.
Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my “User to User” and “Ask Neil” columns, which began in 1990 and ran for almost 20 years. Along the way I …
PCMag is obsessed with culture and tech, offering smart, spirited coverage of the products and innovations that shape our connected lives and the digital trends that keep us talking.