Pros & Cons
-
- Certified by independent AV labs.
- Multiple layers of protection prevent installation of most malware.
- Did a good job of cleaning up malware-infested systems.
- Now includes firewall.
-
- Didn't prevent malware installation as effectively as the competition.
- Keylogger shield doesn't seem to do anything.
- Firewall didn't fully stealth system.
- Firewall "anomaly" pop-ups can be annoying.
Webroot AntiVirus with AntiSpyware and Firewall Specs
| OS Compatibility: | Windows Vista |
| OS Compatibility: | Windows XP |
| Type: | Personal |
| Type: | Professional |
Still Sweeping Spies
The antivirus and antispyware portions of the program are completely unchanged since I reviewed SSAV 5.5 earlier this year, except, of course, for new malware signatures. Webroot representatives assured me I wouldn't need to retest the product's ability to scour malware-infested systems and keep spotless systems clean. Just to confirm, I did some spot-checking, selecting samples that had given SSAV 5.5 a bit of trouble. Indeed, my results were unchanged. At the time of my review of SSAV 5.5, West Coast Labs was in the process of analyzing Webroot's antivirus technology. Now both West Coast Labs and ICSA Labs have certified the product for virus detection and removal, and it has also received the VB100% award from Virus Bulletin.
WAV still doesn't have all its protective settings turned on by default. You'll want to enable rootkit detection in the Full Sweep and turn on the Keylogger shield. With these settings in place, it removed almost all of malware samples from my test systems, scoring 9.0 out of a possible 10.
WAV's numerous shield modules offer multiple layers of protection, blocking malware from installing on a clean system by catching it at different points in the process. Internet Communication Shield blocks all access to known malware-hosting sites. Execution Shield blocks malware when it tries to launch, and File System Shield blocks copying of malware-related files to disk. The BHO Shield, ActiveX Shield, and various other modules contribute to protection as needed. When I tested its ability to keep malware off a clean system, SSAV scored 8.1 of 10, and this result applies equally to the current WAV. That figure had better improve going forward: On the same test, Spyware Doctor scored 9.8 and Panda got a perfect 10. On a parallel test using commercial keyloggers instead of malware, both SSAV (and, therefore, WAV) and Spyware Doctor scored 7.1. Panda limped in with 3.6, and Norton Internet Security 2008 blocked all the samples for 10 out of 10. Here again the suites have progressed while WAV hasn't.
While the product's antivirus gets awards from the independent testing labs, its antispyware side is better at removing already installed malware than it is at keeping clean systems uninfected. For more details about this side of the product, see my earlier review of Spy Sweeper with AntiVirus 5.5.—
Webroot's Firewall—the Expected
Webroot distributes the Webroot Desktop Firewall (WDF)—powered by technology from PrivacyWare—as a standalone product for $19.95. At present, however, it's available at a promotional price of $0. That's right, it's free. As noted, it remains completely separate from the antivirus/antispyware component, so you need to do two separate installations.
Like ZoneAlarm's firewall (and many other firewalls), WDF uses stricter settings for the local network than for your Internet connection. You can also define distinct profiles for three different networks, characterized as Home, Office, and Remote. However, WDF doesn't automatically choose a profile by recognizing the current network. You have to make the choice yourself.
As always, I tested the firewall's ability to hide a computer from attack by hackers. My very first port scan test showed that the critical computer port 135 was wide open, and a couple of less frequently used ports were closed but not stealthed. Webroot tech support's explanation was that the firewall was still in its initial training mode. I found that peculiar, since this type of training typically relates to application control. Then tech support told me I should completely uninstall and reinstall the firewall and turn off training mode before running my tests, so I did. Yet, even after this exercise, port 135 remained open. Webroot said this wasn't a problem, but since nearly every other firewall (including the built-in Windows Firewall) manages to stealth all ports without interfering with tasks like file and printer sharing, this oddity left me feeling uneasy about WDF's protective abilities.
WDF also controls which applications are allowed to access the Internet. By default, the firewall goes into training mode for its first three days of operation, meaning that any programs attempting access during that time are permanently granted access. You have to assume that this won't include any malicious programs because the antivirus/antispyware will have already removed them. When training mode ends, or if you turn it off, you'll get the typical allow/deny pop-up query each time a new program tries to access the Internet. WDF also preconfigures access for a few hundred common programs.
As everyone knows, however, bad guys are always looking for ways to get around basic program control. Malicious software tries all kinds of tricks to gain Internet access, masquerading as an approved program, for example, forcing an approved program to make the connection, or injecting code into another program. I ran a collection of "leak test" programs that attempt these sneaky techniques, and WDF blocked about two-thirds of them. That's better than
When I tried to blow the firewall out of the water programmatically, as malware might do, I couldn't break it. Killing it with Task Manager didn't work, either: Access denied. I managed to turn off its essential Windows service and disable it from starting again, but firewall protection was unaffected. And all my tinkering couldn't find a way to turn off protection by tweaking the Registry or its configuration files. The only thing that worked was my far-fetched test program that can send fake mouse clicks to turn off protection—and it's very unlikely a malware author could manage to automate that process.
Tech-savvy users may benefit from viewing the firewall's report log of blocked and allowed network packets, or the list of active ports. But for most users these will remain in the realm of the arcane, along with the ability to define custom firewall rules.—
Webroot's Firewall—the Unexpected
So far I've described a very ordinary personal firewall, but WDF has another whole personality. It includes all the functionality of PrivacyWare's
I couldn't give this portion of the program my preferred full week of testing, but Webroot confirmed that it works just the same as DSA. I tried installing a dozen PC Magazine utilities and became seriously annoyed. WDF griped again and again that Windows Explorer "exceeded its normal Threat Count Usage." Apparently my concentrated activity after too short a training period triggered this anomaly.
In many cases, WDF displayed a vague warning, stating that "activity related to this process has been detected." I had to click the Details/Options link to find out what it meant. Some of the flagged actions were legitimately suspect. For example, KeyTick installs a global Windows hook, something malicious software might do. But WDF also gave me the same warning for several programs that simply wrote files below the C:\Program Files folder. It even warned that an innocuous game called ColorClue was writing a temp file. Heavens! Horrors! WAV automatically invokes the Block action after 30 seconds, so you can't spend too much time trying to figure out the detail report. No sir, I don't like it.
You can crank up WDF's protection to the next level by enabling Process Detection and turning its Process Monitor to Medium or High. Process Monitor watches running processes for suspicious Windows function calls, the kind that malicious software might use. At the Medium level, it watches a specified list of processes; at the High level it watches all processes. Process detection and process monitoring are turned off by default because they can have a serious impact on start-up time. Of course, with these features enabled, you'll get even more pop-ups.
If you run through the same routine on your computer day after day, rarely changing habits and rarely installing new programs, you may find this added protection more beneficial than annoying. But if your activities range widely, you'll probably turn it off. In any case, this kind of out-of-context activity monitoring is passé. Successful behavior-based anti-malware programs such as
Because WAV has stood still while other products have improved, I'm knocking its rating down to 4 stars. And for now it will have to do without an Editors' Choice in the area of standalone antispyware. I'm treating it as an antivirus/antispyware with a bonus firewall: The firewall doesn't add a lot, but it's free for those who want to use it. But as I've said before, if PC Tools comes up with an improved version of Spyware Doctor that fixes the bugs in its 5.0 release, Webroot had better watch out.
More Antispyware Reviews:
Final Thoughts
Webroot AntiVirus with AntiSpyware and Firewall
The new firewall is a bit unusual, and its "anomaly detection" may drive you bats. But it's a totally free bonus; you don't have to use it. Virus/spyware protection is unchanged from the previous version, while the competition—mostly suites—has moved forward.