AVLab.pl Advanced In-The-Wild Malware Test results for March 2025

[simmerskool]

I do apologize ahead of my upcoming comment but it does have to be made: I question validity of any test and it's method that scores Webroot at 100%; 100% of the time it's tested.

I know I am a single datapoint but come on my own personal experience with the product was not so great. The only time within the last 15 years that I came across an infection that I had to remedy from my system was when that system was running webroot.

you are not alone! see my short macOS comment above, I could elaborate but won't -- just know BAD! I cannot comment re webroot on windows -- I ran it on win for awhile but then no more.

 

[Andy Ful]

Maybe @Shadowra needs to re-test Webroot??

I do not think Webroot can do better than in this test (without WHHLight):

App Review - Webroot SecureAnywhere 2024 (With WHHLight & Wihout WHHLight)

Webroot is an American security solutions provider. Formerly SpySweeper, the company acquired PrevX several years ago to create its SecureAnywhere solution. For several years now, Webroot has set itself apart from the competition with 100% Cloud protection. Webroot has made some improvements to...

malwaretips.com

Against evasive threats, Webroot needs additional protection (like WHHLight, CyberLock, etc.). The result could probably be OK, even when WHHLight was used without WDAC (only SimpleWindowsHardening restrictions for non-EXE threats).

If Shadowra wants to make another test, it would be interesting to test EXE files separately. Unfortunately, the rollback feature can be triggered after some minutes. So, after the test, it would be necessary to wait an hour or more (depending on the number of executed samples) and restart the system before checking for possible infections.

The "wait-and-see approach" of Webroot is hard to test when the samples are executed one after the other. Many samples are actually executed in the system and are allowed to make many suspicious changes. So, the samples executed later are more evasive as compared to the test when each sample is executed on a clean machine, like in AVLab and SE Labs tests. This issue is not so important to other AVs, which have much better malware signatures (local and in the cloud) and pre-execution detection.

 

[simmerskool]

I do not think Webroot can do better than in this test (without WHHLight):

App Review - Webroot SecureAnywhere 2024 (With WHHLight & Wihout WHHLight)

Webroot is an American security solutions provider. Formerly SpySweeper, the company acquired PrevX several years ago to create its SecureAnywhere solution. For several years now, Webroot has set itself apart from the competition with 100% Cloud protection. Webroot has made some improvements to...

malwaretips.com

Against evasive threats, Webroot needs additional protection (like WHHLight, CyberLock, etc.). The result could probably be OK, even when WHHLight was used without WDAC (only SimpleWindowsHardening restrictions for non-EXE threats).

If Shadowra wants to make another test, it would be interesting to test EXE files separately. Unfortunately, the rollback feature can be triggered after some minutes. So, after the test, it would be necessary to wait an hour or more (depending on the number of executed samples) and restart the system before checking for possible infections.

The "wait-and-see approach" of Webroot is hard to test when the samples are executed one after the other. Many samples are actually executed in the system and are allowed to make many suspicious changes. So, the samples executed later are more evasive as compared to the test when each sample is executed on a clean machine, like in AVLab and SE Labs tests. This issue is not so important to other AVs, which have much better malware signatures (local and in the cloud) and pre-execution detection.

@Andy Ful & @Shadowra IIRC Prevx was ok to run with MS Defender & any other 3d-party AV, that was years ago, so is Webroot still compatible with 3d-party AV or with MS Defender. I can visualize that Webroot with Defender & Cyberlock might be a good combo with no slowdowns if compatible. IIRC @danb said Webroot was good with VS/CL but that was also in times past.

 

[Andy Ful]

... is Webroot still compatible with 3d-party AV or with MS Defender.

I do not think so.

 

[simmerskool]

I do not think so.

ok good to know -- meanwhile I sent the same question to Webroot support, I'll report back what they say...

 

[simmerskool]

Webroot reply was minimally responsive imo: "Yes, You can install Webroot if Windows Defender is already on your computer. Just make sure to turn off the periodic scanning if you have issues installing Webroot." Most likely I'll take a pass...

 

[Andy Ful]

Webroot reply was minimally responsive imo: "Yes, You can install Webroot if Windows Defender is already on your computer. Just make sure to turn off the periodic scanning if you have issues installing Webroot." Most likely I'll take a pass...

When Webroot is installed, Defender works in passive mode (like in the case of any AV accepted by Microsoft):

Webroot Firewall works with Windows Firewall.

 

[roger_m]

Webroot still state their antivirus can be used alongside another antivirus. While it is generally not recommend to have two antiviruses installed, it can be done when one of the products has been designed to work alongside other antiviruses. For example, I've run 360 Total Security with other antiviruses with zero issues. In the case of 360 TS, they don't advertise the fact it is compatible with other antiviruses, on their website. However, if you run its uninstaller, it tells you that if you switch the protection to Performance mode, it can be used with another product too.

Is Webroot SecureAnywhere compatible with other antivirus software?

The short answer:
Yes!

The long answer:
Although security software companies have, traditionally, advised against running multiple antivirus programs on the same computer, this rule does not hold true for Webroot SecureAnywhere. The reason for such recommendations involved the way traditional antivirus programs run. SecureAnywhere is different.

Most antivirus software is very aggressive. When an antivirus program scans a file, it accesses that file and locks it until the scan is complete, so other programs can’t access it. If multiple real-time antivirus scanners are installed on the same system, the secondary system will attempt to scan the file the moment it is accessed by the first scan. Now, both programs are competing to scan the file. Depending on the aggressiveness of each program, one may detect the conflict as an “attack” and attempt to block the offending process. Now, the two antivirus programs are not only competing for the same file, but are actively working against one another. This causes a strong struggle for resources on your computer that can drastically impact system performance, and can leave your system more vulnerable to malware attacks.

Antispyware software, on the other hand, is non-aggressive toward antivirus software. While it may try to lock files being actively scanned, it will not compete with an antivirus program when the latter attempts to block or take control of a file. This is why antispyware applications can run alongside most antivirus protection without issue.

As mentioned above, Webroot SecureAnywhere works differently from other virus protection. SecureAnywhere does not rely on the customary system of definition sets to make determinations. Instead, this new program examines file behavior and system interaction closely to determine if files are malicious or not. Only files that present risk are examined.

Using the same advanced behavioral detection that determines which files are malicious, SecureAnywhere is able to recognize other virus protection software on your computer as one of “the good guys.” This means SecureAnywhere won’t block with on-access scanning or try to break through legitimate lockouts. In this way, potential software conflicts, and the resulting system slowness and vulnerability, can be avoided. You can run SecureAnywhere alongside another antivirus program safely.

Webroot Support

answers.webroot.com

 

[Andy Ful]

I am not sure.
With all due respect to the guy from Webroot support, he/she missed some important possible issues. Although Webroot can be friendly to other AVs, there is no proof that other AVs must be friendly to Webroot. Furthermore, malware behavior can be unusual when another AV is installed, which may impair Webroot behavioral protection. Finally, another AV can impair Webroot's rollback feature.

 

[simmerskool]

Webroot still state their antivirus can be used alongside another antivirus. While it is generally not recommend to have two antiviruses installed, it can be done when one of the products has been designed to work alongside other antiviruses. For example, I've run 360 Total Security with other antiviruses with zero issues. In the case of 360 TS, they don't advertise the fact it is compatible with other antiviruses, on their website. However, if you run its uninstaller, it tells you that if you switch the protection to Performance mode, it can be used with another product too.

Webroot Support

answers.webroot.com

interesting -- I did ask Webroot support this specific question which they avoided answering in their above-reply to me.

 

[simmerskool]

When Webroot is installed, Defender works in passive mode (like in the case of any AV accepted by Microsoft):

Webroot Firewall works with Windows Firewall.

also meaning your FWH would be good (great) to run with Webroot (w/ passive MS Defender)?

 

[BSONE]

I remember using Webroot over 10 years ago, This was shortlly after they acquired Prevx and it had a very minimalist UI with a little green Wizball icon in the system tray. I remember using it with another AV at the time and it worked quite well. After some time I started to use it on it's own and I was happy with it. I never knowingly got infected, and it even saved me once when I clicked on a video that I downloaded with a double file extension.
Webroot at the time was one of the first cloud based Antivirus solutions. They explained it quite well with their Brightcloud webinars, which were very good actually.
The biggest issue that I had with webroot though was not their lack of signature updates (as their cloud AV was good), but the fact that they kept on harping on about their rollback feature which they touted as the panacea solution for everything. The problem with relying on Rollback is that if you are infected with an Infostealer, Webroot will not reverse transactions that drained your personal bank account of your life savings, nor fraudulent transactions on your Visa or Amex card used to buy Gucci hand bags in Milan. The same goes for your Google, Microsoft and iCloud accounts: all ransacked of useful and personal information. As the old adage says "Prevention is better than cure"

 

[Digmor Crusher]

The problem with relying on Rollback is that if you are infected with an Infostealer, Webroot will not reverse transactions that drained your personal bank account of your life savings, nor fraudulent transactions on your Visa or Amex card used to buy Gucci hand bags in Milan. The same goes for your Google, Microsoft and iCloud accounts: all ransacked of useful and personal information. As the old adage says "Prevention is better than cure"

Yup, and that's why restoring an image is not an effective means of malware remediation, sure you can roll back to an earlier image and get rid of the malware, only problem is your bank balance is now $0.00.

 

[Andy Ful]

The problem with relying on Rollback is that if you are infected with an Infostealer, Webroot will not reverse transactions that drained your personal bank account of your life savings, nor fraudulent transactions on your Visa or Amex card used to buy Gucci hand bags in Milan. The same goes for your Google, Microsoft and iCloud accounts: all ransacked of useful and personal information. As the old adage says "Prevention is better than cure"

If you believe Webroot's documentation, the rollback is often associated with restrictions on outbound connections and some other actions.

https://www.opentext.com/en/media/data-sheet/opentext-threat-intelligence-streaming-malware-detection-ds-en.pdf

https://www.opentext.com/en/media/data-sheet/opentext-threat-intelligence-ip-reputation-service-ds-en.pdf

However, the problem mentioned by you can probably not be solved in all cases. Anyway, I would not worry about the particular malware type but rather about fileless methods.

 

[Trident]

Yup, and that's why restoring an image is not an effective means of malware remediation, sure you can roll back to an earlier image and get rid of the malware, only problem is your bank balance is now $0.00.

The whole Webroot concept with the rollback is just
a complete and utter nonsense, as I’ve said many times before.

Malware delivers malicious behaviour quickly in most cases (unless special date and time or events like reboot are required). Waiting minutes or hours for this malicious behaviour to be classified and partially rolled back is not a good idea at all.

Being “friendly” and able to run alongside other security software displays lack of confidence that the software can do the job on its own. If the software developer is not confident, I don’t see any reason why users should be.

 

[Andy Ful]

The whole Webroot concept with the rollback is just
a complete and utter nonsense, as I’ve said many times before.

Yes, depending too much on the rollback is not the best solution.
The rollback can be a valuable addition to other security layers when fighting FUDs. Kaspersky and Bitdefender use it against ransomware. Other possibilities are file reputation (Symantec Download Insight, Microsoft SmartScreen), auto-containment (Comodo), and blocking files until analyzed in the virtual environment (Avast, AVG, Norton, Microsoft ISG).

Webroot home products may depend too much on the "wait-and-see approach" (temporary restrictions + cloud AI + rollback), especially for evasive threats.
Fast signatures could significantly reduce the necessity of rollback.
It seems that the evasive threats are better covered in Webroot's business products:

In spring of 2020, Webroot began releasing a series of enhancements to Webroot® Business Endpoint Protection, which include a new Evasion Shield policy. This shield leverages AMSI, as well as new, proprietary, patented detection capabilities to detect, block, and quarantine evasive script attacks, including file-based, fileless, obfuscated, and encrypted threats. It also works to prevent malicious behaviors from executing in PowerShell, JavaScript, and VBScript files

Useful document:

https://www-cdn.webroot.com/4715/9259/4048/Webroot_Evasion_Shield_WP.pdf

 

[cartaphilus]

Yes, depending too much on the rollback is not the best solution.
The rollback can be a valuable addition to other security layers when fighting FUDs. Kaspersky and Bitdefender use it against ransomware. Other possibilities are file reputation (Symantec Download Insight, Microsoft SmartScreen), auto-containment (Comodo), and blocking files until analyzed in the virtual environment (Avast, AVG, Norton, Microsoft ISG).

Webroot home products may depend too much on the "wait-and-see approach" (temporary restrictions + cloud AI + rollback), especially for evasive threats.
Fast signatures could significantly reduce the necessity of rollback.
It seems that the evasive threats are better covered in Webroot's business products:

Useful document:

https://www-cdn.webroot.com/4715/9259/4048/Webroot_Evasion_Shield_WP.pdf

Are you willing to risk your reputation and/or job on using webroot for your business and hoping that the marketing hype works? I want to see the product in action either evading or remediation of a threat like an RAT, or ransomware or just a persistent install.

 

[Andy Ful]

Are you willing to risk your reputation and/or job on using webroot for your business and hoping that the marketing hype works? I want to see the product in action either evading or remediation of a threat like an RAT, or ransomware or just a persistent install.

If you ask me, I would use in my SMB a free solution such as Microsoft Defender (ConfigureDefender advanced settings) + WDAC (currently App Control for Business) + SRP (Software Restriction Policies). In Enterprises, my suggestion would be similar, with any popular EDR.
Do you think other solutions can protect much better than Webroot's business products?
https://malwaretips.com/threads/mic...is-malware-gets-around-it.133857/post-1109465

https://www.gartner.com/reviews/market/endpoint-protection-platforms/compare/product/microsoft-defender-for-endpoint-vs-webroot-business-endpoint-protection

But yes, there are some higher-rated and more popular solutions:

Best Endpoint Protection Platforms Reviews 2024 | Gartner Peer Insights

Find the top Endpoint Protection Platforms with Gartner. Compare and filter by verified product reviews and choose the software that’s right for your organization.

www.gartner.com

 

[Trident]

Fast signatures could significantly reduce the necessity of rollback.
It seems that the evasive threats are better covered in Webroot's business products:

They use no signatures whatsoever, they rely on hash-based detection which appears to only cover executable files. I would assume they at least use fuzzy hashes, but it may as well be SHA256 or MD5 values.

Then they use Infrared which is heuristics and ML-based detection again, for executable files. The behavioural blocking and rollback only deals with untrusted processes, unless someone goes and manually includes a variety of LOLBins under the monitored list. I’ve executed a wide variety of threats and have never seen the bespoke rollback in action, everything was just active in memory.

The evasion shield is there on business products but is again, heuristics based, for example, it would be triggered if obfuscation (gibberish) is present. Whilst Webroot for a home user could potentially be OK (though arguably home users can do a lot better and cheaper), in the context of advanced attacks it’s comic to bring up Webroot

 

[Andy Ful]

The behavioural blocking and rollback only deals with untrusted processes, unless someone goes and manually includes a variety of LOLBins under the monitored list.

That is my opinion too.