Webroot SecureAnywhere CE 22.2 v's 1000 sample .exe test

kC77

kC77

Level 5
Thread author
Verified
Well-known
Aug 16, 2021
232
Webroot.... an AV ive never tried before, grabbed the trial, left settings at defaults...
when clicking update it prompts that there are no signatures to download, seems its entirely cloud based.

really failed in a big way, there was many samples missed, i added a glasswire instance so it was obvious to see any samples/infections communicating with the web. (also flagged by my ids)
Process explorer was soon killed and i couldnt restart it, the command prompt was killed so i wasnt sure if the samples batch was still running..... im guessing it was though!
It didnt even make it 1000 samples ran before i restarted the machine (it was obviously infected already)

Many items items added to startup, and in the end, something had managed to add itself an admin account called ADMIN_1 and then removed my account from being an administrator..... game over webroot!
nothing really positive to say about webroot! AVOID!
gif of the test (45mb) dropbox download
 
Last edited:
  • Like
  • Wow
  • Thanks
Reactions: Sunshine-boy, likeastar20, Sorrento and 9 others
Shadowra

Shadowra

Level 36
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,586
BigWrench said:
Absolutely true….. seen and heard that too many times to mention. It’s just plain trash. Sad to recall how they destroyed Prevx 😢

Peace to all ✌️
Click to expand...

Prevx.... So much that I remember this software, it hurts my heart.... I loved it as a child....
Webroot destroyed it, there is nothing left of it......
 
  • Like
  • Sad
  • Applause
Reactions: Nevi, Behold Eck, Sorrento and 5 others
C

ChoiceVoice

Level 6
Verified
Oct 10, 2014
284
i'd turn heuristics to max, instead of default (which seems to be more for complimentary AV usage) and try test again. i can't recall, i think infrared is on by default, but just incase, make sure. and check to see if anything is marked as untrusted, those have been flagged and are `sandboxed' with limited functionality (until their weaker sigs catch up and delete them). you can beef up the firewall settings too to get warnings of if an untrusted process tries to access the net. because it can be used as a complimentary AV it doesn't jump on samples aggressively, but waits to after they execute and then makes a determination (which is why it doesn't test well), that way it doesn't fight with another AV. because of this, you will see infections in the process explorer etc being active . they should be controlled and watched, and later any malicious activity reversed (sometimes after days, cuz they are slower with their sigs). however, i can't recall if journaled and limited apps can access the internet. i think there is a firewall setting to turn that off, which would stop that activity. but the internet access might mean something failed to be stopped (?). if infected though, they clean your computer for free (likely not with your trial though, lol).
 
  • Like
Reactions: Sunshine-boy, Game Of Thrones, Nevi and 3 others
A

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
It has been quite some time. So it’s possible the following information is no longer relevant with Webroot.

The way Webroot tries to work isn’t the standard “get signature, detect malware” like other products.

Webroot relies heavily on its rollback feature. It monitors unknown/potentially dangerous processes for a period of time, and once it determines the process is bad it rollbacks the changes the process has done.

Processes it already knows is bad, it will simply remove like a standard antivirus.

Baldrick explains it better here:
community.webroot.com

Encryption Rollback ? how it works? | Webroot Community

Hi to all of Webrooters :) i seen recently this PcMag review ( http://www.pcmag.com/article2/0,2817,2470312,00.asp ) and part of that review is : This program was the ultimate unknown—never seen by anyone before until I compiled it. Webroot naturally started monitorin...
community.webroot.com community.webroot.com

In addition there’s the identity shield, which tries to protect your data

(page 52)
 
  • Like
Reactions: Nevi, GonzitoVir, [correlate] and 4 others
Sorrento

Sorrento

Level 12
Verified
Top Poster
Well-known
Dec 7, 2021
561
I miss the truly gigantic monitoring files it used to rack up in WRDATA - You could submit to unknowns to support as needed but not exactly user friendly & they used to brag that the install exe would fit on an old floppy - No mention was made of the monitoring files?
 
  • Like
Reactions: [correlate], Shadowra, Azure and 2 others
Andrew3000

Andrew3000

Level 11
Verified
Top Poster
Malware Hunter
Well-known
Feb 8, 2016
537
Azure said:
It has been quite some time. So it’s possible the following information is no longer relevant with Webroot.

The way Webroot tries to work isn’t the standard “get signature, detect malware” like other products.

Webroot relies heavily on its rollback feature. It monitors unknown/potentially dangerous processes for a period of time, and once it determines the process is bad it rollbacks the changes the process has done.

Processes it already knows is bad, it will simply remove like a standard antivirus.

Baldrick explains it better here:
community.webroot.com

Encryption Rollback ? how it works? | Webroot Community

Hi to all of Webrooters :) i seen recently this PcMag review ( http://www.pcmag.com/article2/0,2817,2470312,00.asp ) and part of that review is : This program was the ultimate unknown—never seen by anyone before until I compiled it. Webroot naturally started monitorin...
community.webroot.com community.webroot.com

In addition there’s the identity shield, which tries to protect your data

(page 52)
Click to expand...
Rollback has never worked in my tests :(
 
  • Like
  • Applause
Reactions: Behold Eck, Sorrento, Burrito and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Webroot SecurityAnywhere is tested for a few years by AVLab. The methodology is very similar. Here are the results compared to a few other AVs.

AVLab (over 17 000 samples in 16 tests, July 2019 - November 2021)
The table contains the missed samples in these tests:

.............................MONTH:.. J......S.....O...N....j....m...M...J....S....N....j...m...M...J....S....N..
Avira Pro (Prime) ............... 0....12... 0...0... 0... 0... 1... 1... 1... 0... 0...0... 0... 0... 0...33 = 48 (16 tests)
Defender ............................ x ... x ...17.. 0 .. x.. 20.. x... x... 0... x... 8... 0... 0 ...x... 2... x = 47 (8 tests)
TrendMicro ........................ x ... x ... x ... x ... x.. 2..158 x ... x ...x ...x ...x ...x ...x ...x ... x = 160 (2 tests)
F-Secure .......................... 103.. x ...x ... 0 ...x ...x ....x ...x ...x ... x... 0... x ...x ...x ...x .. 0 = 103 ( 4 tests)
Webroot ............................ x .... 0 ...x ... 0 ...0 ...0 ...0 ...1 ...0 ... 0... 0... 0...0... 0... 0.. 3 = 4 (14 tests)

x - means that the AV did not participate in the test.
j = January, m= March

As we can see, such tests can have a big random error. The AVs can score 100% several times and suddenly terribly fail on tenths of samples.
Only AVs that are based on the file reputation lookup or detonation in the sandbox can avoid this error.
 
  • Like
Reactions: Nevi, Sorrento, OhioRebel and 5 others
F

ForgottenSeer 69673

Just out of curiosity, I would like to see someone do their 1000 sample test with this configuration just for giggles. Please?

While in shadow mode (Shadow Defender)
Using Appguard with extra configs ( Blocking as many LOLBINS as you can find)
And Firewall Application Blocker set to Block Internet.

Oh yes and using Edge set to restrict.
 
  • Like
  • Applause
Reactions: Nevi, Sorrento, GonzitoVir and 2 others
R

roger_m

Level 42
Verified
Top Poster
Content Creator
Dec 4, 2014
3,131
GonzitoVir said:
PCMag gave Webroot an 'outstanding' rating and 4.5 out of five star.
Click to expand...
The following is why it does so well.
I use the same set of curated samples for months, because the collection process itself takes weeks.
Click to expand...
Webroot does very well at detecting older malware. However, the results would be very different it it was tested against new malware. By only testing only with old samples, the PCMag tests lack credibility.
 
Last edited:
  • Like
  • +Reputation
Reactions: Nevi, peterfat11, Gandalf_The_Grey and 4 others

Similar threads

Shadowra
    • Like
    • +Reputation
    • Applause
App Review Webroot SecureAnywhere 2024 (With WHHLight & Wihout WHHLight)
Replies
14
Views
1,061
Video Reviews - Security and Privacy
Shadowra
Shadowra
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Webroot SecureAnywhere 2024
Replies
99
Views
10,158
Video Reviews - Security and Privacy
likeastar20
L
Shadowra
    • Like
    • +Reputation
    • Wow
App Review Webroot SecureAnywhere CE 2023
Replies
61
Views
8,243
Video Reviews - Security and Privacy
Shadowra
Shadowra

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top