In the early days of viruses and other computer malware, antivirus utilities relied on ever-growing signature databases to identify dangerous files. Polymorphic malware foiled signatures, so security companies devised heuristic and behavior-based detection methods. This proliferation of techniques sometimes created very large programs. Rather than expand to catch every new attack instantly, Webroot SecureAnywhere AntiVirus keeps watch on unknown programs until its brain in the cloud comes to a judgment. If it's thumbs down, the tiny local program wipes out the attacker and reverses its actions. It's a very unusual system, but testing proves that it does the job, and does it well.

Price-wise, Webroot runs with the pack. Like Bitdefender, Kaspersky, and several others, it costs just under $40 for a one-year subscription. Where a three-license Webroot subscription cost $10 more, the other two ask another $20. Norton's standalone antivirus doesn't have a multi-license plan, and one license will run you $49.99. As for McAfee AntiVirus Plus, it costs $59.99 per year, but that subscription gets you unlimited protection for your Windows, macOS, Android, and iOS devices. As always, you may find any of these prices discounted for the first year, sometimes quite deeply.

You can use your Webroot licenses to install antivirus on both PCs and Macs. Some components of Webroot SecureAnywhere Antivirus (for Mac), in particular the web-based protection system, are identical on both platforms. Overall, the two products offer similar security features, though Webroot doesn't go quite as overboard with expert features on the Mac.

Webroot's installer is tiny, less than 4MB, and it installs in a flash. Immediately on installation, it gets busy with a collection of startup tasks, checking off each one as it finishes. Among the listed tasks are: scanning for active malware; analyzing installed applications to reduce warnings and prompts; establishing a system baseline; and optimizing performance for your unique system configuration. Even with these added tasks, the process goes quickly.

The product's appearance hasn't changed appreciably since my last review. Its green-toned main window features a lighter panel that includes statistics about recent scans and a button to launch an on-demand scan. Even if you never click that button, Webroot makes a full scan during installation and runs a scheduled scan every day. A panel at the right manages access to the rest of this product's significant collection of security features.

Lab Test Conundrum

As noted, Webroot handles new, unknown programs by letting them run under strict monitoring. It prohibits irreversible actions like sending personal data to the internet, and keeps a journal of reversible actions, all while awaiting a verdict from Webroot's cloud analysis system. If the program under judgment proves to be nasty, Webroot wipes it out and reverses all its changes.

This system just isn't compatible with many independent lab tests. Labs like AV-Test Institute and AV-Comparatives expect antivirus programs to act right away on malware they recognize, whether detection occurs using signatures, heuristics, or behavioral analysis. Webroot's relationship with the labs has been rocky, but two of the four that I follow have recently included Webroot in their testing, with decent results.

Lab Test Results Chart

Researchers at MRG-Effitas report on two main tests, one specific to banking Trojans and one aiming to cover the full range of malware types. Security programs that don't earn near-perfect scores simply fail; these are tough tests. Webroot passed the banking Trojans test, unlike more than half the products tested. It earned Level 2 certification in the all-types test. That second score means that while it didn't immediately prevent all the malware attacks, it remediated them completely within 24 hours. This test lines up perfectly with Webroot's watch-and-wait system.

SE Labs certifies antivirus products at five levels, AAA, AA, A, B, and C; Webroot earned a B. My contact at Webroot pointed out that the product scored well at its main task of blocking malware execution, but lost points for its handling of such things as targeted attacks. He said he'd be pleased with a different scoring system, but felt that Webroot did well overall.

I use an algorithm to derive an aggregate lab score for products tested by at least two labs. My algorithm maps all results onto a 10-point scale and returns a value from 0 to 10. Webroot's 7.7 points is decidedly on the low side, but decent considering that it doesn't truly jibe with common testing methods. It's certainly better than no test results at all, and it passed both tough tests by MRG-Effitas.

As ever, Bitdefender Antivirus Plus and Kaspersky take perfect or near-perfect scores from the labs. Bitdefender's current aggregate score is 10 points, while Kaspersky, tested by all four labs, has 9.9.

Excellent Malware Protection

For the past few years, Webroot has done very well in my own hands-on malware protection tests, though it handles them differently from most other products. When I downloaded my folder of samples from Dropbox and opened it, Webroot didn't react immediately, the way many products do. However, the first sample I launched triggered a kind of chain reaction.

Webroot popped up to report that it had identified malware, and offered to remove it. After removal, it asked permission to scan the system, to wipe out any remaining malware. The thought of enduring a full system scan just because of one found threat might alarm you, but it needn't. I'm not talking the hours-long scan that I measured for Norton, McAfee, Avast, and a few others. A full scan with Webroot takes from five to seven minutes—not long at all.

At the end of that scan, it removed another group of threats, and asked to scan yet again. The second scan blew away all the remaining samples, without disturbing a couple dozen legitimate files residing in the same folder. Once again, Webroot detected 100 percent of the samples and scored 10 of 10 possible points.

Webroot is the first product to eliminate all current samples, from pernicious ransomware to potentially unwanted programs. Previously the top score was 9.3, shared by Norton, McAfee, Cylance Smart Antivirus($5.99 at Cylance), and F-Secure.

The scan did whack a couple of my hand-coded testing tools, but I can't really blame it. Here you have a program that's never been seen before by the cloud analysis system, and its purpose is to launch fraudulent URLs. Suspicious much? I restored my tools from quarantine and proceeded with testing.

Malware Protection Results Chart

Of course, all my preselected samples are veritable antiques to Webroot, seen and known for months. To get a look at protection against the latest threats, I start with a feed of URLs that researchers at MRG-Effitas recently found to be hosting malware. Typically, these are no more than a couple days old. I launch each and note whether the antivirus prevents browser access to the dangerous URL, eliminates the file upon download, or completely fails to notice the malware download.

Of more than 100 validated dangerous URLs, Webroot blocked 51 percent in the browser and wiped out the malware payload of another 29 percent. With 80 percent protection overall, it's in the lower half of scores for this test, but that's in part because it doesn't bring every resource to examining downloaded files. Let me explain.

Just to see what would happen, I launched one of the downloaded malware samples. That's not how this test normally works, but I'm glad I checked. Webroot detected the sample and launched a scan that eliminated most of the downloaded malware. The result would have been 97 percent protection, right up there with McAfee and Trend Micro. Only Norton and Bitdefender, with 99 percent, have done better.

I asked my Webroot contact why the scan at download time seemed less effective than the later scan. He explained that for efficiency the scan doesn't focus as strongly on files that were merely downloaded but not yet executed. That's because any such file will get serious scrutiny before it launches. And indeed, launching just one of those files set off the scan that wiped out all but a few of them.

Phishing Protection Success

There's nothing intrinsically dangerous about a phishing website—no drive-by downloads, malicious scripts, or other active threats, just an inviting imitation of a secure website. You're perfectly safe, unless you haplessly enter your login credentials on one of these fraudulent sites. If you do fall for the fraud, though, you've just given away full access to your bank site, shopping site, even dating site. It's not good.

These fraudulent sites get shut down and blacklisted quickly, but the perpetrators simply pop up another fake and start trolling for victims. To test an antivirus product's phishing protection, I try to include phishing URLs that are so new there's been no time to analyze and blacklist them. I launch each URL in a browser protected by the product in question, and simultaneously in browsers relying on the phishing protection built into Chrome, Firefox, and Internet Explorer. I discard any that fail to load in one or more of the browsers, and any that don't precisely fit the definition of phishing. Once I have 100 or so data points, I run the numbers.

Phishing Protection Results Chart

Webroot did a very good job detecting and fending off fraudulent sites, significantly better than when last tested. It blocked 97 percent of the verified frauds, and outperformed all three of the browsers. A few others have done better recently, in particular Kaspersky Anti-Virus and McAfee with 100 percent protection, but Webroot joins the growing cluster of phishing protectors with scores near the top.

For tips on averting this kind of attack, please read my feature on how to avoid phishing scams.

See How We Test Security Software

Ransomware Experiments

The journal and rollback system that Webroot uses can even roll back the effects of encrypting ransomware, though the company warns that limitations, such as available drive space, can impact this ability. In truth, it would be very unusual for a ransomware attack to get past all the other layers of protection. Webroot wiped out all my ransomware samples, most by recognizing them as known bad programs, a few by noticing bad behavior after launch. I had to scramble to figure out how to test its ransomware protection.

My coding skills are rusty; there's no way I could write a never-before-seen encrypting ransomware specimen, even if I wanted to. For testing, I wrote a simple-minded ransomware simulator that encrypts all text files in the document folder using reversible XOR encryption. I had performed this test during my last review, meaning that Webroot would recognize and eliminate the program on launch. To avert that effect, I modified the program, changing its name, length, and a few non-executable bytes.

The newly disguised program ran unhindered, and I verified that it did encrypt the target files. In Webroot's Active Processes list, I found the program running in Monitored mode, meaning Webroot was keeping detailed track of its activity. Rather than waiting for a decision from Webroot's cloud-based brain, I cut to the chase. In the processes list I blocked the program, confirmed immediate termination, and launched a scan. The scan removed the file and reversed its actions, restoring the encrypted files, just as I had hoped.

Webroot's monitoring system works with all malware types. A similar feature in Trend Micro Antivirus+ Security($29.95/Year at Trend Micro Small Business) focuses just on ransomware. At the first sign of ransomware behavior, it backs up important files. If its behavioral detection verifies a ransomware attack, it terminates the malware and restores the backed-up files.

That little experiment with a hand-modified version of my file encryptor test inspired me to try testing with a hand-modified version of Cerber, a rather nasty real-world ransomware attack. The results were rather different. This time, the modified attack ran to completion, encrypting my documents and displaying its ransom demand. What happened?

When I shared my experience, my contact at Webroot explained that Cerber uses an unusual technique called "process hollowing," which lets its code run inside an existing trusted process. Webroot has a defense against this technique in the works, but it won't be released until next year. He admitted that in a case like this, the "Patient Zero" victim of the first attack could lose files, but Webroot should learn from the attack and protect other users. Indeed, when I rolled back the virtual machine to a clean state and repeated the test, Webroot wiped out the modified ransomware immediately.

Helpful Firewall

For many security companies, the addition of a personal firewall is one of the features that distinguishes the security suite from the standalone antivirus. Webroot's antivirus includes a firewall, but it doesn't work quite the same as most. It makes no attempt to put your system's ports in stealth mode, leaving that task to the built-in Windows Firewall. That's fine; the built-in does a good job.

Related The Best Antivirus Protection for 2020

Webroot's firewall doesn't attempt to fend off network-based exploits. When I hit the test system with about 30 exploits generated by the CORE Impact penetration tool, it didn't react. Since the test system is fully patched, the exploits also didn't have any opportunity to do penetrate and damage it.

Webroot classifies programs as good, bad, or unknown. Like Symantec Norton AntiVirus Basic, it leaves the good ones alone, eliminates the bad ones, and monitors the unknowns. As mentioned earlier, if a monitored unknown program tries a non-reversible action like sending your credit card details overseas, Webroot steps in to stop it.

By default, the firewall ups its game when Webroot detects an active infection, which causes the main window to turn from green to dramatic red. In this mode, any network traffic by unknown programs requires your permission, but normal activities like Web browsing proceed uninterrupted.

If you just love those endless firewall popups, you can tweak the firewall's settings to enable such old-school behavior. Now you get a warning every time an untrusted program tries Internet access. You can even go a step farther, setting it to block all access for processes that aren't already trusted.

In testing, even though I left the firewall at its default settings, I found that it sometimes popped up to ask how to handle untrusted programs. It even asked me about Opera's auto-updater. These notifications came with a two-minute timeout, meaning that Webroot would allow access eventually if I did not respond.

Of course, firewall protection means bubkes if a malware coder can reach in and turn it off. The more processes and services a security tool contains, the more chances there are for chicanery. With just two processes and one service, and no settings exposed in the Registry, Webroot is buttoned up tight. My every attempt to halt its protection resulted in an ignominious "Access Denied" message.

For Experts Only

Like most modern antivirus utilities, Webroot works fine if you set it and forget it. It comes configured for maximum protection, and if you don't make any changes, it runs a scan every day. What more could you want? In truth, if you dig a bit, you'll find a ton of features and settings. If you don't dig, no problem!

Clicking the settings gear next to Identity Protection on the main window brings up a page with controls that toggle what it calls Phishing Shield and Identity Shield. The rest of the page displays a laundry list of just what these shields involve. They aim to fend off a wide variety of typical malware attacks including man-in-the-middle, browser process modification, and keylogging. It automatically chooses applications for this protection; on my test system it chose Internet Explorer and Google Updater. You can also add to the list manually.

A set of antimalware tools lets you repair damage left behind after malware remediation, like malware-modified desktop background, screensaver, or system policies. You can also use it to quickly reboot into Safe Mode, or to perform an instant reboot. Those with the necessary skills can manually remove malware, along with its associated Registry data. Even if you claim no tech skills yourself, you can run a removal script created by Webroot tech support.

I mentioned the Active Processes list earlier, which shows all running processes and flags those that are under monitoring by Webroot. If you really want to see what Webroot is doing, you can open the Reports page and check its current activity, or history. You probably won't want to read the available scan log or threat log, but tech support may ask for them. And Webroot tech support is available 24/7, with call centers in Australia, Ireland, and the US.

There are features for experts, and features for professionals. SafeStart Sandbox is among the latter. If you're a trained antivirus researcher, you can use it to launch a suspect program under detailed limitations that you specify. If you're not, just leave it alone. I don't even use that one myself.

Small Is Beautiful

If you open the folder containing a typical antivirus or security suite, you'll find an amazing number of files and folders. When I checked at one point, Norton's program folder contained over 1,250 files and 130 folders, and occupied 702MB of disk space. Bitdefender's files and folders didn't take quite as much space on disk, but they ran to more than 4,500 files and 200 folders. These aren't even the biggest!

As for Webroot, it's ridiculously small. Open its folder and you find exactly one file, WRSA.exe, with a size less than 4MB. That's tiny! As noted, Task Manager reveals just two Webroot processes. Norton also packs its protection into two processes, while others require more. During one test, I found 16 active processes for McAfee, for example. Webroot relies on just one Windows service, but some others run to more than a dozen.

Just because a product uses more of processes or services doesn't necessarily mean it's eating up more of your system resources. It's conceivable that a program with just one resource-hungry process could overload your system. Conceivable, but unlikely. By every measure I've found, Webroot remains the smallest antivirus around.

Still a Winner

Webroot SecureAnywhere AntiVirus doesn't jibe with the testing methods used by many of the independent testing labs, though it's beginning to pick up traction with a couple of them. In my own hands-on testing, it earned a perfect score for malware protection and a very good antiphishing score. Its score against malware-hosting URLs was so-so, but when we triggered a more intense scan that score soared. And we demonstrated empirically that under the right circumstances, it can reverse ransomware damage. It remains an antivirus Editors' Choice, sure to please those who want good things in a small package.

Kaspersky Anti-Virus and Bitdefender Antivirus Plus routinely earn perfect or near-perfect scores from the antivirus testing labs, and both come with a panoply of useful bonus features. McAfee AntiVirus Plus doesn't always score as high in lab tests or our own tests, but it's a bargain, offering protection for every Windows, macOS, Android, and iOS device in your household. These three tools round out our collection of Editors' Choice antivirus products, each with its own special merits.

Artboard Created with Sketch. Webroot SecureAnywhere AntiVirus 4.5 Editors' Choice Check Price Pros Perfect score in our malware protection test.

Very good antiphishing score.

Ransomware protection.

Light on system resources.

Fast scan, tiny size.

Advanced features. View More Cons Limited lab test results due to unusual detection techniques.

Missed one unique hand-modified ransomware sample in testing. The Bottom Line Tiny, speedy Webroot SecureAnywhere AntiVirus keeps a light touch on your system's resources. It aces our hands-on malware protection test, and can even roll back ransomware activity.

Best Antivirus Picks

Further Reading