Fact or Myth: Older, slower antivirus software is better and more thorough than the faster Webroot SecureAnywhere


Userlevel 7
  • Retired Webrooter
  • 2146 replies
MYTH


Ever since the launch of Webroot SecureAnywhere (WSA), one of the biggest concerns we have seen is that the scans are "too fast to be doing anything effectively."  Having worked in support since well before the launch of WSA, I cannot tell you how many times I have seen this topic come up due to a popular misconception that a fast scan is somehow less thorough.
 
To explain why this is a myth rather than a fact, I'll first explain how older, conventional detection models work.
When you first install a program that relies on one of those models, the program first imports tens to hundreds of megabytes of detection definitions from a central server.  The installation is slow and cantankerous.  If you're on a slower-speed connection, this initial stage can prove insurmountable at times.  Believe it or not, some people still use dial-up.  There are some parts of the world that unfortunately still don't have a choice.  If you're one of those unlucky people, this is one of those situations where you better hope your internet connection stays active for about 4 to 8 hours.  Even if you're on high speed, the installation might take 5 to 10 to 20 minutes or longer for some programs.  It's all very relative to your connection and the size of the data being downloaded, but one thing is constant - definitions-based models are bulky.
By the time you finally get that thing installed, it's most likely consuming about 100MB or more of your system memory.  This will vary depending on what it's doing.  It will always have a lot of weight holding down your computer, but when it starts scanning, that memory usage will typically fluctuate between "a lot" and "a ridiculous amount."  Hopefully you don't want to use your computer for anything else during the next hour or so, because it won't typically be in any state to let you do anything more memory-intensive than playing solitaire.
 
The scan clunks on for the next hour scanning every last file on your computer.  Remember that 500MB family video you took a few years ago that's been sitting around in your My Videos area untouched since it was made?  Old Bulky AV Program is scanning it with a rigorous battery of tests and subjecting it to a match with any given definition file it has available to cross-reference to.  A while later, it will lumber on to Huge File #2.
 
Why is this?  The more stuff you have to do locally on the system, the slower the system goes.  So right now you have a product that is probably a few hundred megabytes in size (which will only grow bigger and bigger over time with more updates), which is eating up a huge chunk of your memory and is scanning stuff that it could have ruled out as "not a risk" to begin with by using a few simple techniques to see if either (a) that file has been altered since the last time it was scanned or (b) whether or not that file stands any chance of being auto-run or is currently in use.  Certainly on the very first scan it can't check via method (a), but it could very well perform method (b) if it knew how to look.  Unfortunately, that's not the way a traditional model operates.
 
Until the paradigm shift of Webroot SecureAnywhere, this slow, clunky, traditional model was the best model out there.  Awful as it was, people still got used to it. 


Naturally, when a program showed up claiming to work better, faster, and more efficiently than the old model, people were understandably skeptical.
 
Here are some of the main causes for speed differences:


1. Take the installation for example.  The main component of our software is about 600KB.  That's right - KB - not MB.  Installation is almost instantaneous.  Many people mistake the progress bar on the first scan as an installation progress bar just because that's what they are used to seeing.  There is no longer an installation progress bar because the installation literally takes about one second.  If you have an older version of Webroot installed, it might take slightly longer (seconds - not minutes the vast majority of the time) since it has to remove that, but most of that process happens in the background and doesn't slow the installation of the new version at all.
 
2. Compare the amount of memory it uses.  At the moment I'm writing this, my installation of Webroot SecureAnywhere is using about 4.5MB of memory.  It doesn't fluctuate wildly from that amount but rather remains quite low even during scans.  This has everything to do with how the antivirus software is going about its business protecting you.  Since traditional antivirus software relies exclusively on performing a local comparative analysis between any file and what the software thinks that file should be doing, it's going to eat up a lot of your memory.  Conversely, Webroot SecureAnywhere is a cloud-based detection model.  This means that instead of locally checking every file on your computer against a massive list of known risks, it's taking a unique hash of that file and cross-referencing it against our cloud database.  For the vast majority of the files on your computer, the database already knows in advance from prior scans whether or not it's a good file or a bad file.  It communicates back almost instantaneously what to do about that file. 
 
Some people at this point may wonder "what is a hash?"  Without getting too technical, the hash is basically a 32-character unique text representation of any file in existence.  For example, here is a hash of one version of iexplore.exe, a file most any Windows user would have: 86257731DDB311FBC283534CC0091634.  When that hash is sent up to the cloud, our cloud database checks it to see if that is a good file, a bad file, or an unknown file.  In this case, it's a good file.  So the cloud database sends that result back to the computer.  This takes almost no time at all.  In the event it's an unknown file, there are still local behavioral measures in place to keep an eye on it and make sure it doesn't do anything bad.  If the software deems it necessary, it will even run that file in a "sandbox" first before letting the file actually run.  The sandbox allows Webroot to test a file first to see what it does before it actually lets it do it.  It can perform this test about as fast as the unknown program itself can run its own code.  If the behavioral system notices the file has done something bad, it quarantines it.
 
3. Webroot doesn't scan stuff that makes no sense to scan.  That's what shields are for.  If you're not in the middle of a scan and you run an infected file, it's not a scan that picks up the threat but rather a shield.  The shields work on the same principles as a scan, but they are focused to individual files being run in real time.  Let's take the 500MB family movie example I mentioned earlier.  What's the point in scanning that file during a scan?  Does it stand any chance of automatically running on your computer?  Is it already running on the computer?  Have we already scanned it before?  If so, has it changed since the last time it was scanned?  There are a variety of ways Webroot can check for these attributes (and others like them), very quickly, and if it makes sense to include that file in a scan Webroot will include it.
To play devil's advocate, let's assume it's actually an infected file that has been sitting on your hard drive for the last 10 years.  You downloaded it from your movie camera, it got injected with an infection somehow, and it's been sitting there idle and unused ever since.  You then installed Webroot after the fact.  Will the scan pick up on it?  Probably not, because it's not going to run unless you tell it to run.  Let's then assume you try to play the file.  The same action that would have picked up on that file as a threat via an unnecessarily long scan now picks up on it using a shield instead.  There is no difference in the level of protection – just the level of efficiency.  It finds the threat anyway when it becomes an actual threat.  Until that point, that "threat" is just a file sitting on the hard drive that is not in use and poses no actual risk until it is run.  The end result is a more efficient model that still offers the same level of protection that it would if it ran unnecessarily longer "full" scans.
 
4. The more people who run Webroot SecureAnywhere, the better protected everyone is and the faster the software works.  Because this is a cloud-based detection model, the more detection data we aggregate in the cloud, the faster we can make a determination on any new file in the world.  Every time anybody else installs the software, you are a little bit more protected.  If File X is doing something bad on another Webroot-protected computer somewhere else in the world, Webroot doesn’t only make a rules-based determination on that computer but also flags File X as a bad file globally, marking it as a file to automatically be determined as bad anywhere else in the world at the same time.  Once it’s been globally determined, WSA doesn’t need to employ a behavioral detection to figure out if File X is good or bad anymore because it already knows this based on the unique file signature housed in the cloud.
 
5. Webroot SecureAnywhere is compatible with any other antivirus protection available.  It was specifically designed to recognize who the good guys are.  It will never try to quarantine or break another antivirus program.  It will never battle over the right to act first against a threat.  While it’s unnecessary to run another antivirus program, a lot of people like to take the approach of doubling-down on their security regardless.  Recognizing this fact, Webroot SecureAnywhere will allow you to run any other antivirus software you want alongside it, and it will not interfere.  That means it doesn’t slow down your system with incompatibility issues and conflicts.
 
Hopefully this helps to clarify why Webroot SecureAnywhere is both better and faster than the traditional antivirus models.
 
If you read this whole thing, you deserve a kudo from me!  😃

11 replies

Userlevel 7
Badge +55
A great, great job of explaining how Webroot SecureAnywhere really works and the future is here now with the cloud!
 
Thanks Jim!
 
Daniel
Userlevel 4
Badge +23
Fascinating read. Thanks Jim!
Userlevel 7
Thx Jim, incredible feat 😃
Userlevel 4
Badge +23
You say "it’s unnecessary to run another antivirus program..." That's a lot of faith to place in WSA. Do you not think it wise to take a layered security approach? Do you for instance use WSA on its own?
Userlevel 7
Badge +55
@ wrote:
You say "it’s unnecessary to run another antivirus program..." That's a lot of faith to place in WSA. Do you not think it wise to take a layered security approach? Do you for instance use WSA on its own?
It's all I use but I'm a safe surfer and don't click on unknown files so I don't feel the need for a layered security but I do have a couple of On-demand scanners which only find yummy cookies which aren't dangerous! ;)
 
TH
Thanks Jim for the excellent explanation on how WSA works. 😃
Userlevel 4
Badge +23
@ wrote:
@ wrote:
You say "it’s unnecessary to run another antivirus program..." That's a lot of faith to place in WSA. Do you not think it wise to take a layered security approach? Do you for instance use WSA on its own?
It's all I use but I'm a safe surfer and don't click on unknown files so I don't feel the need for a layered security but I do have a couple of On-demand scanners which only find yummy cookies which aren't dangerous! ;)
 
TH
I was actually asking Jim the question, but couldn't find where to quote, which I've obviously now discovered :p But, thanks for responding anyway :D
Userlevel 7
The_Seeker,
 
TripleHelix gave pretty much the same answer I was going to provide anyway.  But I will expand a bit.
 
Let's stipulate a few things first:
1. No antivirus company is going to create an antivirus solution only to then turn right around and suggest you need to get something else from some other provider to bolster it.  I can't speak for other antivirus manufacturers, but we honestly think our solution is sufficient.  It's like that old catch-line on The Reading Rainbow though, "you don't have to take my word for it."  Listen to TripleHelix or ask the other non-Webroot-employees the same thing, and you'll get much of the same satisfied answer TripleHelix gave already.
2. I'm not really the best test case for this question, because like TripleHelix, I just don't get infected.  Furthermore, if I do get infected, I can typically get rid of it in a few minutes.  This is because that was actually part of my job for a while - I got rid of infections by hand.  I can't say I've ever run into this situation since I started running WSA though.
 
So that said, I'll give you the best answer I can.  Maybe for some people, it's a reasonable choice.  The old logic of "this database knows about this threat but this other one doesn't, so it's good to run both" isn't as wrong as it used to be.  Back when basically all antivirus software was incompatible with all other antivirus software, running two of them was a terrible idea and actually decreased the effectiveness of both of them.  However, one of the things WSA gets complimented on most of all is in fact its ability to run alongside other AV without breaking it.  Clearly this means there is at least perceived value in running two of them.  Does that mean there is actual value there?  Well, sorta.  There are certainly the corner cases where we miss something somebody else finds.  That happens with all antivirus programs.  As I've said before, no antivirus program is 100% effective in all cases all the time. 
 
The question however is "is it wise to take a layered security approach?"  That question involves a lot of variables other than effectiveness.  The cost of the product(s), your savvy with computers, whether you really want to deal with two interfaces, the fact that the other program is probably still Bulky Old AV slowing you down, etc - these are all things you'd want to put into your personal equation.  It's a valid choice to choose to run both programs, but whether you do that depends more on your particular preference than anything else.
 
Something else to consider is that the support call queue here at Webroot has been sitting at 0 calls for a good chunk of the last couple of weeks.  That tells me that not a lot of people are needing to contact us for infections we somehow missed.  And in the cases where we do get such calls, when we determine a file to be bad, that determination is held constant for all users.  In doing so, that tells the software to not only pull it off your computer but any other computer we might be missing it on.  So as long as somebody in the world with that infection (and WSA) contacts us, everybody else reaps the benefit of that contact with support.  And that's still a rare scenario too - the vast majority of WSA users don't ever need to contact support to begin with.
 
In short, you will be ok with just WSA.  If you want to run something else, that's fine too but unnecessary.
Userlevel 7
Jim will be replying shortly if I'm not mistaken (he just alerted me that he made his post once mine was mostly-written), and I'm going to add my two and a half cents here.
 
Yes, I only use WSA on my personal computer, and my wife's, and my parents'. 
 
While people might, for example, point at the recent AV-C report and jump up and down, I have a somewhat, sort-of cheat insight:  I can see what's going on in support, and on our back end, and In Reality.  I'm not looking at test results of some sort when I put faith in it.  I'm looking at what is happening to millions of our customers, what is happening to our support crew, and what we are actually seeing on the cloud system.  I'm seeing infections being rare in practice to start with, and those that are getting through are often determined in 30 minutes or less.  By the time somebody gets the idea that maybe they should call us, we've already taken care of it.   I'm seeing support calls at an all-time low for all the years I've been here.  I'm not only seeing WSA frequently getting first response on stuff that multi-scanners (like VirusTotal for example) trigger -nothing- on, but I can even contribute if I feel like it and create those first responses.
 
My history is from support to the escalations group to now QA, but I'm one of those Jacks. ;)
 
I'll admit... There's kind of a mixed feeling when I go into the cloud system and find certain things.  How would you feel, for example, to know that five people of all your millions of customers have gotten this infection...  When sent to VT, -nothing- picks it up at all... and it was first seen on VT when you sent it, and first seen on the Webroot cloud about a day ago...  You follow some threads from that infection, and find that a few thousand people have gotten the same thing heuristically, all starting a day ago...  Server-side polymorph most likely, and again, none of the samples sent to VT trigger a single hit, but it's trivial to see the infection working and everything it does.  A new rule and suddenly the entire swath is wiped out instantly across everybody who has it.  A local test against the vector with several systems running different security packages, and no, there's no blocking of the URL or something else that would have caught it in a way that VT wouldn't exhibit, and within a few days, the source servers aren't even running on the IP anymore.
 
VT only begins to start getting hits trickling in three days later, and a good 20/42 two week later.  It's a mixed feeling, like I said.  On one hand, you found something and got it fixed in record time compared to everybody else.  On the other hand, many of those customers were infected for up to a full 24 hours.  On the third, mutant hand, you know that the "other guys" didn't catch it from the direct sources and if they ever would, it's too late anyway because those sources are down.  How much could a virus wrangler do with 3,000 infected Webroot customers in a day, or how much could they do with tens of thousands or hundreds of thousands of infected other customers for two weeks?
 
So while other companies may have reporting systems, we have a realtime view of everything going on on the threat landscape, and that view is why we can say that things are going much better than anybody may think they are going.
 
Is a layered approach a good idea?  Depends on your needs, capabilities, and on the balance you want to maintain.  But remember, the most important layer of security is the user themself. 
 
But yes, I eat my own dog food, so to speak. 😉
Userlevel 4
Badge +23
Wow, thank you so much Jim and Kit; I could not have wished for two more thorough responses to my questions.
 
I'll respond to you both by saying that I'm currently running WSA on four PCs in my household: mine and my three boys (aged 18, 14 and 10). Going by my experience, and the info I see daily on Webroot's fantastic PC Security Console, none of them have been infected in over two months of heavy usage. I've experienced a threat or two, but these I were expecting as sometimes I download risky files for testing purposes/amusement.
 
I consider myself to be a moderate to advanced user who knows his way around a PC. For a while now, I've been actually wondering whether I should run an AV at all. I've since abandoned this idea as I've found I need the piece of mind that realtime protection brings. I did consider running a standalone HIPS, but they never felt right to me as they could perhaps notify me of/prevent an intrusion, but not remove/quarantine the threat if that were needed.
 
Now, the fact that my boys haven't been infected still amazes me. This also means that I haven't had one complaint from them over the last couple of months, about their PC running slow, or "this keeps popping up" etc. This alone is worth the price of the program.
 
I guess I really asked my original questions, not because I doubted WSA, but because I was looking for confirmation that my suspicions were correct along, i.e. WSA is enough for me (and for my boys too it seems). The more I think about it, the more I realise that I cannot remember the last time I was infected without me expecting it.
 
For a while now I've been wondering whether I really do need to run MBAM PRO alongside my AV. But now, thanks to you guys and the stellar performance of WSA, I've decided to leave MBAM and programs of the like to on-demand scanning, if and when I think I may need it.
 
Thanks once again to you all for responding :D
Userlevel 7
Always very welcome. :)
 
Trust me, the internal knowledge I have really helps the viewpoint, but I realize not everybody has that internal view, so I guess sharing that insight is a useful thing sometimes.  I will admit, there are some cases where I know things I can't share, even if they would help the situation, and I'm frustrated to no end in some of those cases, but ahh well.
 
If MBAM Pro provides a good balance of performance versus protection when you combine it with WSA, then by all means, run it.  I always say to just look at what you will lose and what you will gain by any action, and decide whether the balance is in your favor.  If you gain a larger amount by not running it, then don't run it. 🙂

Reply