Webroot SecureAnywhere CE 22.2 v's 1000 sample .exe test

kC77

Level 4
Thread author
Aug 16, 2021
191
Webroot.... an AV ive never tried before, grabbed the trial, left settings at defaults...
when clicking update it prompts that there are no signatures to download, seems its entirely cloud based.

really failed in a big way, there was many samples missed, i added a glasswire instance so it was obvious to see any samples/infections communicating with the web. (also flagged by my ids)
Process explorer was soon killed and i couldnt restart it, the command prompt was killed so i wasnt sure if the samples batch was still running..... im guessing it was though!
It didnt even make it 1000 samples ran before i restarted the machine (it was obviously infected already)

Many items items added to startup, and in the end, something had managed to add itself an admin account called ADMIN_1 and then removed my account from being an administrator..... game over webroot!
nothing really positive to say about webroot! AVOID!
gif of the test (45mb) dropbox download
 
Last edited:

ChoiceVoice

Level 6
Oct 10, 2014
280
i'd turn heuristics to max, instead of default (which seems to be more for complimentary AV usage) and try test again. i can't recall, i think infrared is on by default, but just incase, make sure. and check to see if anything is marked as untrusted, those have been flagged and are `sandboxed' with limited functionality (until their weaker sigs catch up and delete them). you can beef up the firewall settings too to get warnings of if an untrusted process tries to access the net. because it can be used as a complimentary AV it doesn't jump on samples aggressively, but waits to after they execute and then makes a determination (which is why it doesn't test well), that way it doesn't fight with another AV. because of this, you will see infections in the process explorer etc being active . they should be controlled and watched, and later any malicious activity reversed (sometimes after days, cuz they are slower with their sigs). however, i can't recall if journaled and limited apps can access the internet. i think there is a firewall setting to turn that off, which would stop that activity. but the internet access might mean something failed to be stopped (?). if infected though, they clean your computer for free (likely not with your trial though, lol).
 

Azure

Level 27
Verified
Top poster
Content Creator
Oct 23, 2014
1,618
It has been quite some time. So it’s possible the following information is no longer relevant with Webroot.

The way Webroot tries to work isn’t the standard “get signature, detect malware” like other products.

Webroot relies heavily on its rollback feature. It monitors unknown/potentially dangerous processes for a period of time, and once it determines the process is bad it rollbacks the changes the process has done.

Processes it already knows is bad, it will simply remove like a standard antivirus.

Baldrick explains it better here:

In addition there’s the identity shield, which tries to protect your data

(page 52)
 

Sorrento

Level 4
Dec 7, 2021
190
I miss the truly gigantic monitoring files it used to rack up in WRDATA - You could submit to unknowns to support as needed but not exactly user friendly & they used to brag that the install exe would fit on an old floppy - No mention was made of the monitoring files?
 

Andrew3000

Level 10
Verified
Malware Tester
Well-known
Feb 8, 2016
465
It has been quite some time. So it’s possible the following information is no longer relevant with Webroot.

The way Webroot tries to work isn’t the standard “get signature, detect malware” like other products.

Webroot relies heavily on its rollback feature. It monitors unknown/potentially dangerous processes for a period of time, and once it determines the process is bad it rollbacks the changes the process has done.

Processes it already knows is bad, it will simply remove like a standard antivirus.

Baldrick explains it better here:

In addition there’s the identity shield, which tries to protect your data

(page 52)
Rollback has never worked in my tests :(
 

Andy Ful

Level 81
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,005
Webroot SecurityAnywhere is tested for a few years by AVLab. The methodology is very similar. Here are the results compared to a few other AVs.

AVLab (over 17 000 samples in 16 tests, July 2019 - November 2021)
The table contains the missed samples in these tests:

.............................MONTH:.. J......S.....O...N....j....m...M...J....S....N....j...m...M...J....S....N..
Avira Pro (Prime) ............... 0....12... 0...0... 0... 0... 1... 1... 1... 0... 0...0... 0... 0... 0...33 = 48 (16 tests)
Defender ............................ x ... x ...17.. 0 .. x.. 20.. x... x... 0... x... 8... 0... 0 ...x... 2... x = 47 (8 tests)
TrendMicro ........................ x ... x ... x ... x ... x.. 2..158 x ... x ...x ...x ...x ...x ...x ...x ... x = 160 (2 tests)
F-Secure .......................... 103.. x ...x ... 0 ...x ...x ....x ...x ...x ... x... 0... x ...x ...x ...x .. 0 = 103 ( 4 tests)
Webroot ............................ x .... 0 ...x ... 0 ...0 ...0 ...0 ...1 ...0 ... 0... 0... 0...0... 0... 0.. 3 = 4 (14 tests)


x - means that the AV did not participate in the test.
j = January, m= March

As we can see, such tests can have a big random error. The AVs can score 100% several times and suddenly terribly fail on tenths of samples.
Only AVs that are based on the file reputation lookup or detonation in the sandbox can avoid this error.
 

ticklemefeet

Level 26
Jan 31, 2018
1,549
Just out of curiosity, I would like to see someone do their 1000 sample test with this configuration just for giggles. Please?

While in shadow mode (Shadow Defender)
Using Appguard with extra configs ( Blocking as many LOLBINS as you can find)
And Firewall Application Blocker set to Block Internet.

Oh yes and using Edge set to restrict.
 

roger_m

Level 37
Verified
Top poster
Content Creator
Dec 4, 2014
2,603
PCMag gave Webroot an 'outstanding' rating and 4.5 out of five star.
The following is why it does so well.
I use the same set of curated samples for months, because the collection process itself takes weeks.
Webroot does very well at detecting older malware. However, the results would be very different it it was tested against new malware. By only testing only with old samples, the PCMag tests lack credibility.
 
Last edited: