Antivirus programs have many ways to identify malicious programs, from simple signature-based detection of known threats to intricate behavior-based detection systems. Webroot Essentials takes advantage of these techniques when appropriate but focuses mainly on behavior patterns. Unknown programs run in probationary status, barred from making permanent changes to the protected PC, while Webroot’s cloud-based brain considers their fate. If a thumbs-down is the verdict, the local Webroot app eliminates the threat and reverses all its actions. This unusual style results in a tiny local app. It doesn’t fit well with some automated lab tests, but it earned top scores in our hands-on tests. For more traditional antivirus protection, look to Bitdefender Antivirus Plus or Norton AntiVirus Plus, our Editors' Choice winners. Both routinely ace independent lab tests, and both offer a broad range of features that are more approachable than Webroot’s expert-level bonuses.

How Much Does Webroot Essentials Cost?

You pay $49.99 per year for one Webroot Essentials license, the same as Bitdefender Antivirus Plus. The most common one-license antivirus price is $39.95 or $39.99, a price shared by Emsisoft, Trend Micro Antivirus+ Security, and ZoneAlarm, among others. Protecting three devices with Webroot brings the price up to $69.99, again the same as Bitdefender and a bit higher than most. Webroot’s pricing tiers top out at five licenses for $89.99.

You can use your Webroot license to install antivirus on either a PC or a Mac. Some components of Webroot Essentials for Mac, in particular the web-based protection system, are identical on both platforms. Overall, the two editions offer similar security features, though Webroot on the Mac doesn't go overboard with expert features quite as much.

Getting Started With Webroot Essentials

The Webroot download is tiny, less than 12MB, and installs in a flash. Immediately after installation, it busies itself with a collection of startup tasks, checking off each one as it finishes. Among the listed tasks are scanning for active malware, analyzing installed applications to reduce warnings and prompts, establishing a system baseline, and optimizing performance for your unique system configuration. Even with these added tasks, the process goes quickly.

(Credit: WebRoot/PCMag)

Until recently, Webroot Essentials was called Webroot Antivirus. Before that, the full name was Webroot SecureAnywhere Antivirus. The app’s appearance has remained the same through these changes for quite a while. It even says Webroot SecureAnywhere across the top still.

This app’s green-toned main window features a lighter panel that reports statistics about recent scans and a button to launch an on-demand scan. Even if you never click that button, Webroot makes a full scan during installation and runs a scheduled scan every day. A panel at the right manages access to the rest of this app’s collection of security features.

Webroot strongly de-emphasizes running a full scan of your entire computer, on the basis that any malicious apps will be caught before they can do any harm. If you select a full scan, it requires confirmation that you understand it's not necessary. On my standard test system, Webroot’s full scan time took just under two hours, while a subsequent scan finished in an hour and a half. The current average is over an hour and a half, so Webroot is in line with the competition.

(Credit: Webroot/PCMag)

Online Console

As part of getting started with Webroot, you’ll set up an online profile. The process has a strong emphasis on security. I don’t always use the strongest passwords for profiles used in testing since they’re only needed for the test duration. But Webroot requires a truly strong password, and logging in requires that you pass a standard CAPTCHA.

You can further enhance your security by protecting your account with multi-factor authentication. You’d previously set up MFA by scanning a QR code with Google Authenticator or a workalike. Alas, Webroot has switched to using less secure SMS-based authentication.

(Credit: WebRoot/PCMag)

If you’re installing Webroot on a new device, click the Downloads and Features item from the console’s left-rail menu. Now, you can download the installer appropriate to your operating system or install the included LastPass app, which I’ll discuss below.

You can view your protected devices from the console and confirm that their protective shields are active. You can also check your subscriptions and, if necessary, renew them here.

(Credit: WebRoot/PCMag)

Sharp-eyed users will note that the console is hosted on carbonite.com, not webroot.com. Indeed, this same console lets you manage Carbonite online backups. OpenText owns both Carbonite and Webroot.

Lab Tests

As noted, Webroot handles new, unknown programs by letting them run under strict monitoring. It prohibits irreversible actions like sending personal data to the internet and keeps a journal of reversible actions, all while awaiting a verdict from Webroot's cloud analysis system. If the program under judgment proves to be nasty, Webroot wipes it out and reverses all its journaled changes.

This system just isn't compatible with many independent lab tests. Labs like AV-Test Institute and AV-Comparatives expect antivirus programs to act immediately on malware they recognize, whether detection occurs using signatures, heuristics, or behavioral analysis. Webroot's relationship with the labs has been rocky. Just one of the four that I follow has recently included Webroot in testing.

Researchers at MRG-Effitas report on two main tests, one specific to banking Trojans and one aiming to cover the full range of malware types. Security programs that don't earn near-perfect scores simply fail; these are tough tests. Webroot used to do particularly well in the all-types test, which offers certification to antiviruses that remediate all malware attacks within 24 hours. That sort of test would align well with Webroot’s journal-and-rollback system. Unfortunately, it’s been some years since Webroot participated.

Researchers at SE Labs use a capture and replay system to package up real-world malware attacks and unleash them on multiple antivirus apps simultaneously. This lab certifies antiviruses at five levels: AAA, AA, A, B, and C; Webroot earned an impressive AAA certification. To be fair, all apps in the latest test report came in at the AAA level.

I use an algorithm to derive an aggregate lab score for antivirus utilities tested by at least two labs. With just one result, Webroot doesn’t have an aggregate score. Avast has the best overall score, 9.9 points, based on tests from all four labs. Also tested by four labs, Norton and Microsoft came in with 9.6 and 9.5 points, respectively. Like Avast, ESET NOD32 Antivirus scored 9.9 points, but that score was based on tests from three labs.

Malware Protection

For many years, Webroot scored high in my own hands-on malware protection tests. In its most recent previous review, it still did very well but not quite up to previous standards. This time, it’s topping the charts again.

As noted above, the scan that Webroot ran as part of the installation found a handful of files, none from my main collection of malware and ransomware samples. It’s not uncommon for this kind of initial scan to miss static, never-launched malware. My main malware-blocking test starts when I open folders containing my samples. For many antiviruses, the tiny access Windows Explorer performs to display the file and its properties is enough to trigger an on-access scan. That’s not the case with Webroot, but copying the samples to another location started the ball rolling.

By observation, when Webroot makes numerous malware discoveries in quick succession, it doesn’t stack up multiple notifications or pack all its discoveries into one notification. When I clicked away its simple notification before it finished, another notification popped up. Copying the files back to their original location seemed to set off another round of detection, so I copied them back and forth a few times. Webroot caught about 80% of the samples at this point.

I noticed that somewhere during that process the main window changed to a red-orange warning and requested a cleanup scan. I allowed the scan, which took a few minutes, and found more malware. Upon removing what it found, Webroot asked for a final scan to ensure a totally clean machine. After that last scan, all but one of the malware samples was gone and sent to quarantine.

(Credit: WebRoot/PCMag)

I maintain a second set of samples that I’ve tweaked by hand, changing the filename, file size, and some non-executable bytes. The initial round of real-time detection missed quite a few of these. That’s not terribly surprising, given that the hand-tweaked files have never been seen before. Even after the full scan, about a third of these remained. That’s actually pretty good for an app that focuses on malware behavior.

As always, this test continues as I launch any samples not eliminated on sight. In this case, that was just one sample, and Webroot caught it. It ran a scan to detect all the malware bits, removed them, and ran a second scan just to be sure. My post-game analysis revealed that the malware managed to plant a few executable files despite Webroot’s efforts, so it didn’t get full credit.

(Credit: Webroot/PCMag)

One way or another, Webroot detected 100% of the samples and scored 9.9 of 10 possible points. Avast, AVG, Norton, and UltraAV came close to this feat, also scoring 9.9 points but with 99% detection. For now, Webroot is at the top.

Webroot’s scan also quarantined some of my hand-coded testing tools, but I can't really blame it. Consider a program that the cloud analysis system has never seen before, whose purpose is to launch fraudulent URLs. Suspicious, much? I restored my tools from quarantine and proceeded with testing.

I use the same set of curated samples for months because the collection process itself takes weeks. To examine protection against the most current threats, I start with a feed of URLs that researchers at MRG-Effitas recently found to be hosting malware. Typically, these are no more than a couple of days old. I launch each and note whether the antivirus prevents browser access to the dangerous URL, eliminates the file upon download, or completely fails to notice the malware download.

(Credit: WebRoot/PCMag)

Of 100 validated dangerous URLs, Webroot blocked 76% in the browser and wiped out the malware payload of another 21%, for a total of 97% protection. Interestingly, when I tried to launch the few verified malware samples, Webroot caught all but one. Note, though, that launching the samples is not actually part of this test.

(Credit: WebRoot/PCMag)

Webroot’s 97% is a decent score—only a few competitors have done better. Aura, NordVPN Plus, and Norton reached 99% in their latest tests, while Avira, Guardio, and Sophos Home Premium scored 100%. Yes, each antivirus gets hit with a different selection of malware-hosting URLs, but they’re always the most recent ones.

Phishing Detection

There's nothing innately dangerous about a phishing website. You won’t find drive-by downloads, malicious scripts, or other active threats, just an inviting imitation of a secure website. You're safe if you’re astute enough to recognize and avoid the fraudulent page. But woe betides the careless web surfer who enters login credentials on one of these fraudulent sites. If you fall for the fraud, you've just given away full access to your bank account, online shopping account, or even dating profile. It's not good. These fraudulent sites get shut down and blacklisted quickly, but the perpetrators simply pop up another fake and start trolling for new victims.

Similar Products

Our Current Picks for The Best Antivirus Software for 2026

Bitdefender Antivirus Plus

4.5 Outstanding

Best Deal£19.99 - Save £20 on 3 Devices on 1 Year Plan

Buy It Now

Bitdefender UK

£19.99 - Save £20 on 3 Devices on 1 Year Plan

Read Our Review

Norton AntiVirus Plus

4.5 Outstanding

Best Deal£19.99 for the First Year, One Device

Buy It Now

Norton UK

£19.99 for the First Year, One Device

Read Our Review

ESET NOD32 Antivirus

4.0 Excellent

Best Deal£19.90 for 1 Device on 1 Year Plan

Buy It Now

ESET UK

£19.90 for 1 Device on 1 Year Plan

Read Our Review

McAfee AntiVirus

4.0 Excellent

Best Deal£39.99/Year for 10 Devices

Buy It Now

McAfee UK

£39.99/Year for 10 Devices

Read Our Review

Emsisoft Anti-Malware

4.0 Excellent

Best Deal£21.74 Per Year

Buy It Now

Emsisoft UK

£21.74 Per Year

Read Our Review

G Data Antivirus

4.0 Excellent

Buy It Now

Read Our Review

Malwarebytes Premium Security

4.0 Excellent

Best Deal£29.99

Buy It Now

Malwarebytes UK

£29.99

Read Our Review

Sophos Home Premium

4.0 Excellent

Best Deal£37.5

Buy It Now

Sophos

£37.5

Read Our Review

Webroot Essentials

4.0 Excellent

Best Deal£14.99

Buy It Now

Webroot UK

£14.99

Read Our Review

(Credit: WebRoot/PCMag)

To test an antivirus app’s phishing protection, I try for an even split between verified phishing URLs and reported frauds that are so new there's been no time to analyze and blacklist them. I launch each URL in a browser protected by the antivirus I'm testing and simultaneously in browsers relying on the phishing protection built into Chrome, Edge, and Firefox. I discard any that fail to load in one or more of the browsers and any that don't precisely fit the definition of phishing. Once I have enough data points, I run the numbers.

Webroot has turned in a long string of perfect and near-perfect scores in this test but bobbled slightly in my previous review, only reaching 93% detection. This time around, it’s back at 100%. Avira, Guardio, and McAfee also caught 100% in their latest tests, as did the VPN-focused NordVPN Plus and Surfshark One. Norton Genie, an app designed to detect phishing and other scams, also achieved a perfect score.

Phishing is totally platform-independent. If your smart fridge includes a full-scale browser, you can get scammed while making a shopping list. Phishing protection, though, can vary by platform. In the past, I’ve frequently seen situations where a company’s Windows edition outperformed its macOS edition in the same test. The Windows and Mac editions scored in lockstep with Webroot, achieving identical results.

Ransomware Protection

Webroot's journal and rollback system should even roll back the effects of encrypting ransomware. However, the company warns that limitations like available drive space can impact this ability. In truth, it would be very unusual for a ransomware attack to get past all the other layers of protection. Because Webroot wiped out all my ransomware samples either on sight or the moment they launched, I had to scramble to figure out how to test its ransomware protection.

The scariest ransomware is the zero-day type that’s never been detected before. I don’t have the coding skills (or the inclination) to create that sort of threat for testing. I made several attempts to create a simpler test program that would be unknown to Webroot, like a zero-day threat, and would perform dangerous actions, actions worthy of being rolled back. I’ve managed this in past reviews. However, I just couldn’t find the sweet spot this time.

In the end, I used a test program supplied by Webroot, one that, by design, isn’t detected as malware. I ran it and let it perform encryption on files in the Documents folder. I verified that the encryption happened. I clicked Utilities, chose the System Control tab, and launched the list of active processes. As expected, the test program was listed as one being monitored.

(Credit: Webroot/PCMag)

Emulating Webroot’s cloud-based brain, I manually blocked the sample program as dangerous, confirmed immediate termination, and launched a scan. The scan removed the file and reversed its actions, restoring the encrypted files.

Yes, given that the test program came from Webroot, it’s no surprise that the protection system worked as expected. But again, in past reviews I’ve managed this demonstration using a program I wrote myself, with no involvement by the company.

For past reviews, I’ve performed limited real-world ransomware testing by creating never-before-seen tweaked versions of the ransomware samples I normally use in testing. I’ve been able to see that Webroot restored originals but didn’t delete encrypted versions of files and didn’t clean up ransom notes. Hey, if you got your files back, cleanup is the least of your worries!

This time around, Webroot proved just too effective. Even though I crafted a brand new set of tweaked samples, it eliminated all but five of them on sight. It caught two more before they could launch. Another two didn’t trigger any detection based on behavior because they simply didn’t do anything, a fairly common occurrence.

That leaves one sample that did manage to get past Webroot’s protection. The escapee, a disk wiper, completely trashed the test system’s hard drive. Fortunately, fixing a virtual machine’s hard drive is as easy as restoring a snapshot. Do note that Webroot’s ability to roll back changes relates to file-encrypting ransomware, not to malware that encrypts or wipes the whole disk.

Firewall

For many security companies, a personal firewall is one of the features that distinguishes the security suite from the standalone antivirus. Webroot's antivirus includes a firewall, but it doesn't work quite like most. It does not attempt to put your system's ports in stealth mode, leaving that task to the built-in Windows Firewall, which does a fine job.

Webroot classifies programs as good, bad, or unknown. Like Norton AntiVirus Plus, it leaves the good ones alone, eliminates the bad ones, and monitors the unknowns. As mentioned earlier, if a monitored unknown program tries a non-reversible action like sending your credit card details overseas, Webroot prevents it.

(Credit: WebRoot/PCMag)

By default, the firewall ups its game when Webroot detects an active infection, which causes the main window to turn from green to dramatic red. In this mode, any network traffic by unknown programs requires your permission, but normal activities like web browsing proceed uninterrupted.

The firewall has two other program control modes. You can set it to require confirmation for internet access by untrusted programs even when there’s no active infection. Or you can crank it up so that every access attempt requires confirmation unless you’ve given the program permission.

Every program on your system before you installed Webroot is considered trusted, so I had to test using a new hand-tweaked variation of a tiny browser I wrote myself. Webroot allowed this program to access the internet even when set to block untrusted programs. It turns out that Webroot’s analysis identified this modified program as a variation on other programs it had seen before and therefore considered it trusted.

(Credit: WebRoot/PCMag)

When I created a new, never-before-seen variant and set the firewall to warn about all programs except those explicitly permitted, I saw this feature in action. My contact noted that regular users never invoke the higher levels of program control and that these settings may be removed going forward.

Even when it’s working, firewall protection means bubkes if a malware coder can reach in and turn it off. The more processes and services a security tool contains, the more opportunities for such chicanery. With six services, three processes, and no settings exposed in the Registry, Webroot has a small attack surface. My every attempt to halt its protection resulted in an ignominious Access Denied message.

LastPass Premium

In the panel at the right-hand side of the main window you’ll notice a section labeled Password Manager. Clicking the Start Now button takes you to the online console, where you’ll find a prominent notice to set up key features, including LastPass. Click the Activate button and follow the instructions to take advantage of this offer.

(Credit: WebRoot/PCMag)

We’ve reviewed LastPass Premium separately, so I’ll refer you to that article for details. Briefly, LastPass is a venerable player in password management, with all the expected features. However, its security record has been a little spotty, and its free tier is limited. We’ve rated it 3.5 stars.

Advanced Features

Like most modern antivirus utilities, Webroot works fine even if you totally ignore it. Out of the box, it’s configured for maximum protection, and if you don't make any changes, it runs a scan every day. What more could you want? It turns out that there’s a ton more to discover under the surface for those who dare.

Clicking the settings gear next to Privacy Protection on the main window brings up a page with two tabs: Online Protection and Application Protection. The first tab controls Privacy Shield and Phishing Shield, with toggles to turn those features on and off. The rest of the page displays a laundry list of what these shields involve. They aim to fend off a wide variety of typical malware attacks, including man-in-the-middle, browser process modification, and keylogging.

(Credit: WebRoot/PCMag)

Webroot’s Application Protection feature prevents the extraction of personal data from protected programs. The corresponding tab simply lists protected applications. Some years ago, Webroot populated the list with Chrome, Internet Explorer, and Firefox. At present, the list starts off empty.

You can add programs to the list for protection, but it’s not easy. Edge seemed obvious, but finding the proper EXE file was a challenge. Most users won’t dig into these settings and hence won’t get any benefit from this feature. Those who try to activate it manually may find the process too difficult. Why couldn’t Webroot offer a simple list of suggested applications rather than forcing users to wade through the file system?

(Credit: WebRoot/PCMag)

Clicking the gear icon next to Utilities reveals a page with three tabs containing advanced utilities: Antimalware Tools, Reports, and System Control. The tools on the antimalware tab let you repair the damage left behind after malware remediation, things like malware-modified desktop background, screensaver, or system policies. You can also use it to reboot into Safe Mode, or to perform an instant reboot. Those with the necessary skills can use another tool to manually remove any program and its associated Registry data. Even if you claim no tech skills, you can run a removal script created by Webroot tech support.

If you really want to see what Webroot has been doing, open the Reports tab and check its current or historical activity. You probably won't want to read the available scan or threat log, but tech support might ask for them. And if there’s a file you really don’t trust, you can submit it for judgment by Webroot’s research team.

The System Control tab is where you find the Active Processes list, which shows all running processes and flags those that are under monitoring by Webroot. Also on this page is the SafeStart Sandbox. There are features for experts and features for professionals. SafeStart Sandbox is among the latter. If you're a trained antivirus researcher, you can use it to launch a suspect program under detailed limitations that you specify. If you're not, just leave it alone. I don't even use that one myself.

Verdict: Small and Effective

With its deep analysis in the cloud, Webroot’s local presence is tiny. Its journal-and-rollback system for protecting against unknown programs isn’t a good fit with automated lab tests, but it earned top scores in our hands-on tests. It’s a good choice, though a bit unusual. Norton AntiVirus Plus appears in the latest tests from the four labs we follow, with perfect scores from three. Tested by three labs, Bitdefender Antivirus Plus earned perfect and near-perfect scores. Both offer an approachable set of bonus security features and have earned our Editors’ Choice award.