Webroot SecureAnywhere CE 22.2 v's 1000 sample .exe test

kC77

Level 5
Thread author
Verified
Well-known
Aug 16, 2021
230
Webroot.... an AV ive never tried before, grabbed the trial, left settings at defaults...
when clicking update it prompts that there are no signatures to download, seems its entirely cloud based.

really failed in a big way, there was many samples missed, i added a glasswire instance so it was obvious to see any samples/infections communicating with the web. (also flagged by my ids)
Process explorer was soon killed and i couldnt restart it, the command prompt was killed so i wasnt sure if the samples batch was still running..... im guessing it was though!
It didnt even make it 1000 samples ran before i restarted the machine (it was obviously infected already)

Many items items added to startup, and in the end, something had managed to add itself an admin account called ADMIN_1 and then removed my account from being an administrator..... game over webroot!
nothing really positive to say about webroot! AVOID!
gif of the test (45mb) dropbox download
 
Last edited:

Shadowra

Level 33
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,243
Absolutely true….. seen and heard that too many times to mention. It’s just plain trash. Sad to recall how they destroyed Prevx 😢

Peace to all ✌️

Prevx.... So much that I remember this software, it hurts my heart.... I loved it as a child....
Webroot destroyed it, there is nothing left of it......
 

ChoiceVoice

Level 6
Verified
Oct 10, 2014
280
i'd turn heuristics to max, instead of default (which seems to be more for complimentary AV usage) and try test again. i can't recall, i think infrared is on by default, but just incase, make sure. and check to see if anything is marked as untrusted, those have been flagged and are `sandboxed' with limited functionality (until their weaker sigs catch up and delete them). you can beef up the firewall settings too to get warnings of if an untrusted process tries to access the net. because it can be used as a complimentary AV it doesn't jump on samples aggressively, but waits to after they execute and then makes a determination (which is why it doesn't test well), that way it doesn't fight with another AV. because of this, you will see infections in the process explorer etc being active . they should be controlled and watched, and later any malicious activity reversed (sometimes after days, cuz they are slower with their sigs). however, i can't recall if journaled and limited apps can access the internet. i think there is a firewall setting to turn that off, which would stop that activity. but the internet access might mean something failed to be stopped (?). if infected though, they clean your computer for free (likely not with your trial though, lol).
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
It has been quite some time. So it’s possible the following information is no longer relevant with Webroot.

The way Webroot tries to work isn’t the standard “get signature, detect malware” like other products.

Webroot relies heavily on its rollback feature. It monitors unknown/potentially dangerous processes for a period of time, and once it determines the process is bad it rollbacks the changes the process has done.

Processes it already knows is bad, it will simply remove like a standard antivirus.

Baldrick explains it better here:

In addition there’s the identity shield, which tries to protect your data

(page 52)
 

Sorrento

Level 9
Verified
Well-known
Dec 7, 2021
402
I miss the truly gigantic monitoring files it used to rack up in WRDATA - You could submit to unknowns to support as needed but not exactly user friendly & they used to brag that the install exe would fit on an old floppy - No mention was made of the monitoring files?
 

Andrew3000

Level 11
Verified
Top Poster
Malware Hunter
Well-known
Feb 8, 2016
516
It has been quite some time. So it’s possible the following information is no longer relevant with Webroot.

The way Webroot tries to work isn’t the standard “get signature, detect malware” like other products.

Webroot relies heavily on its rollback feature. It monitors unknown/potentially dangerous processes for a period of time, and once it determines the process is bad it rollbacks the changes the process has done.

Processes it already knows is bad, it will simply remove like a standard antivirus.

Baldrick explains it better here:

In addition there’s the identity shield, which tries to protect your data

(page 52)
Rollback has never worked in my tests :(
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Webroot SecurityAnywhere is tested for a few years by AVLab. The methodology is very similar. Here are the results compared to a few other AVs.

AVLab (over 17 000 samples in 16 tests, July 2019 - November 2021)
The table contains the missed samples in these tests:

.............................MONTH:.. J......S.....O...N....j....m...M...J....S....N....j...m...M...J....S....N..
Avira Pro (Prime) ............... 0....12... 0...0... 0... 0... 1... 1... 1... 0... 0...0... 0... 0... 0...33 = 48 (16 tests)
Defender ............................ x ... x ...17.. 0 .. x.. 20.. x... x... 0... x... 8... 0... 0 ...x... 2... x = 47 (8 tests)
TrendMicro ........................ x ... x ... x ... x ... x.. 2..158 x ... x ...x ...x ...x ...x ...x ...x ... x = 160 (2 tests)
F-Secure .......................... 103.. x ...x ... 0 ...x ...x ....x ...x ...x ... x... 0... x ...x ...x ...x .. 0 = 103 ( 4 tests)
Webroot ............................ x .... 0 ...x ... 0 ...0 ...0 ...0 ...1 ...0 ... 0... 0... 0...0... 0... 0.. 3 = 4 (14 tests)


x - means that the AV did not participate in the test.
j = January, m= March

As we can see, such tests can have a big random error. The AVs can score 100% several times and suddenly terribly fail on tenths of samples.
Only AVs that are based on the file reputation lookup or detonation in the sandbox can avoid this error.
 
F

ForgottenSeer 69673

Just out of curiosity, I would like to see someone do their 1000 sample test with this configuration just for giggles. Please?

While in shadow mode (Shadow Defender)
Using Appguard with extra configs ( Blocking as many LOLBINS as you can find)
And Firewall Application Blocker set to Block Internet.

Oh yes and using Edge set to restrict.
 

roger_m

Level 41
Verified
Top Poster
Content Creator
Dec 4, 2014
3,014
PCMag gave Webroot an 'outstanding' rating and 4.5 out of five star.
The following is why it does so well.
I use the same set of curated samples for months, because the collection process itself takes weeks.
Webroot does very well at detecting older malware. However, the results would be very different it it was tested against new malware. By only testing only with old samples, the PCMag tests lack credibility.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top