Webroot SecureAnywhere AntiVirus

Description

Traditional antivirus engines store threat signature databases locally — files that can reach several gigabytes as they accumulate years of malware definitions. Webroot SecureAnywhere adopted a different architectural approach: bring the threat intelligence to the cloud and keep the local application small. The result is an antivirus installation of less than 15 MB that performs its initial scan in less than a minute, as opposed to the multi-gigabyte installations and multi-hour scans that full-database antivirus products require. Webroot’s cloud database does threat lookups in real time, by querying its servers when an unknown file is encountered instead of comparing against a local definition file.

Webroot Inc., acquired by OpenText Corporation in 2019, created SecureAnywhere around this cloud-first architecture. The approach sacrifices offline detection capability in exchange for installation size and scan speed, and is therefore especially suitable for systems where storage and performance are limited.

Threat Intelligence – Cloud Based

When Webroot encounters a file or URL it has not seen before, it checks the cloud-based Webroot Intelligence Network instead of a local signature database. The network classifies files as known-good, known-bad or unknown based on analysis from the collective data of Webroot’s user base and automated analysis systems. Unknown files are given a monitored status — they are running under surveillance with all of their actions logged — so that if the file later classifies as malicious, Webroot can roll back all it did while under the unknown classification. This journaling and rollback capability addresses the window of exposure that exists before a new threat gets classified.

Real-Time Protection

Real-time protection is used to monitor file system activity, web browsing, and application execution. Files that try to execute are given a cloud lookup before execution if they are not recognized. Web browsing protection scans URLs against Webroot’s database of malicious and phishing websites, preventing access before the page loads. The protection works with minimal effect on the CPU and RAM usage since the heavy analysis work occurs on Webroot’s servers instead of the local machine.

Fast Scanning

Webroot’s scan takes less than a minute on most systems because it does not have to read and hash every file and compare it to a large database on your system. The scan focuses on active system locations — running processes, startup entries, browser components, and recently modified files — rather than scanning every file on the drive in an exhaustive manner. Full drive scans are on demand for people who wish to have full coverage, but Webroot recommends its targeted scan approach as adequate for normal protection.

Identity Shield

The Identity Shield is used to protect sensitive data entry from keyloggers and screen capture malware. When a user opens a browser and navigates to a banking site or enters payment information, the Identity Shield triggers more monitoring that prevents unauthorized applications from logging keystrokes or capturing screen content in that session. The shield is applicable to browser sessions and to financial applications identified as being in need of protection.

Firewall and Network Monitor

The firewall component keeps an eye on the outgoing connections from applications on the system, identifying applications attempting unusual connections to the network and alerting when an unrecognized application tries to communicate with external servers. The network monitor shows active connections with the application, remote address and connection state for each active session.

Rollback and Remediation

When a file under Webroot’s monitored unknown classification later determines to be malicious, the rollback function reverses all actions that file took while it ran — files it created, registry changes it made, and settings it modified. This rollback capability is the mechanism that Webroot uses for zero-day threats that were not classified as malicious at the time they executed.

Offline Detection

Webroot’s main detection relies on cloud connectivity. When the device is not connected to the Internet, Webroot uses a local heuristic layer that analyzes behavior patterns instead of making cloud lookups, offering a lower level of protection but still some protection. Offline detection capability is a known drawback against full-database antivirus products that detect threats entirely from local definitions.