Ever since the launch of Webroot SecureAnywhere (WSA), one of the biggest concerns we have seen is that the scans are "too fast to be doing anything effectively." Having worked in support since well before the launch of WSA, I cannot tell you how many times I have seen this topic come up due to a popular misconception that a fast scan is somehow less thorough.
To explain why this is a myth rather than a fact, I'll first explain how older, conventional detection models work.
When you first install a program that relies on one of those models, the program first imports tens to hundreds of megabytes of detection definitions from a central server. The installation is slow and cantankerous. If you're on a slower-speed connection, this initial stage can prove insurmountable at times. Believe it or not, some people still use dial-up. There are some parts of the world that unfortunately still don't have a choice. If you're one of those unlucky people, this is one of those situations where you better hope your internet connection stays active for about 4 to 8 hours. Even if you're on high speed, the installation might take 5 to 10 to 20 minutes or longer for some programs. It's all very relative to your connection and the size of the data being downloaded, but one thing is constant - definitions-based models are bulky.
By the time you finally get that thing installed, it's most likely consuming about 100MB or more of your system memory. This will vary depending on what it's doing. It will always have a lot of weight holding down your computer, but when it starts scanning, that memory usage will typically fluctuate between "a lot" and "a ridiculous amount." Hopefully you don't want to use your computer for anything else during the next hour or so, because it won't typically be in any state to let you do anything more memory-intensive than playing solitaire.
The scan clunks on for the next hour scanning every last file on your computer. Remember that 500MB family video you took a few years ago that's been sitting around in your My Videos area untouched since it was made? Old Bulky AV Program is scanning it with a rigorous battery of tests and subjecting it to a match with any given definition file it has available to cross-reference to. A while later, it will lumber on to Huge File #2.
Why is this? The more stuff you have to do locally on the system, the slower the system goes. So right now you have a product that is probably a few hundred megabytes in size (which will only grow bigger and bigger over time with more updates), which is eating up a huge chunk of your memory and is scanning stuff that it could have ruled out as "not a risk" to begin with by using a few simple techniques to see if either (a) that file has been altered since the last time it was scanned or (b) whether or not that file stands any chance of being auto-run or is currently in use. Certainly on the very first scan it can't check via method (a), but it could very well perform method (b) if it knew how to look. Unfortunately, that's not the way a traditional model operates.
Until the paradigm shift of Webroot SecureAnywhere, this slow, clunky, traditional model was the best model out there. Awful as it was, people still got used to it.
Naturally, when a program showed up claiming to work better, faster, and more efficiently than the old model, people were understandably skeptical.
Here are some of the main causes for speed differences:
1. Take the installation for example. The main component of our software is about 600KB. That's right - KB - not MB. Installation is almost instantaneous. Many people mistake the progress bar on the first scan as an installation progress bar just because that's what they are used to seeing. There is no longer an installation progress bar because the installation literally takes about one second. If you have an older version of Webroot installed, it might take slightly longer (seconds - not minutes the vast majority of the time) since it has to remove that, but most of that process happens in the background and doesn't slow the installation of the new version at all.
2. Compare the amount of memory it uses. At the moment I'm writing this, my installation of Webroot SecureAnywhere is using about 4.5MB of memory. It doesn't fluctuate wildly from that amount but rather remains quite low even during scans. This has everything to do with how the antivirus software is going about its business protecting you. Since traditional antivirus software relies exclusively on performing a local comparative analysis between any file and what the software thinks that file should be doing, it's going to eat up a lot of your memory. Conversely, Webroot SecureAnywhere is a cloud-based detection model. This means that instead of locally checking every file on your computer against a massive list of known risks, it's taking a unique hash of that file and cross-referencing it against our cloud database. For the vast majority of the files on your computer, the database already knows in advance from prior scans whether or not it's a good file or a bad file. It communicates back almost instantaneously what to do about that file.
Some people at this point may wonder "what is a hash?" Without getting too technical, the hash is basically a 32-character unique text representation of any file in existence. For example, here is a hash of one version of iexplore.exe, a file most any Windows user would have: 86257731DDB311FBC283534CC0091634. When that hash is sent up to the cloud, our cloud database checks it to see if that is a good file, a bad file, or an unknown file. In this case, it's a good file. So the cloud database sends that result back to the computer. This takes almost no time at all. In the event it's an unknown file, there are still local behavioral measures in place to keep an eye on it and make sure it doesn't do anything bad. If the software deems it necessary, it will even run that file in a "sandbox" first before letting the file actually run. The sandbox allows Webroot to test a file first to see what it does before it actually lets it do it. It can perform this test about as fast as the unknown program itself can run its own code. If the behavioral system notices the file has done something bad, it quarantines it.
3. Webroot doesn't scan stuff that makes no sense to scan. That's what shields are for. If you're not in the middle of a scan and you run an infected file, it's not a scan that picks up the threat but rather a shield. The shields work on the same principles as a scan, but they are focused to individual files being run in real time. Let's take the 500MB family movie example I mentioned earlier. What's the point in scanning that file during a scan? Does it stand any chance of automatically running on your computer? Is it already running on the computer? Have we already scanned it before? If so, has it changed since the last time it was scanned? There are a variety of ways Webroot can check for these attributes (and others like them), very quickly, and if it makes sense to include that file in a scan Webroot will include it.
To play devil's advocate, let's assume it's actually an infected file that has been sitting on your hard drive for the last 10 years. You downloaded it from your movie camera, it got injected with an infection somehow, and it's been sitting there idle and unused ever since. You then installed Webroot after the fact. Will the scan pick up on it? Probably not, because it's not going to run unless you tell it to run. Let's then assume you try to play the file. The same action that would have picked up on that file as a threat via an unnecessarily long scan now picks up on it using a shield instead. There is no difference in the level of protection – just the level of efficiency. It finds the threat anyway when it becomes an actual threat. Until that point, that "threat" is just a file sitting on the hard drive that is not in use and poses no actual risk until it is run. The end result is a more efficient model that still offers the same level of protection that it would if it ran unnecessarily longer "full" scans.
4. The more people who run Webroot SecureAnywhere, the better protected everyone is and the faster the software works. Because this is a cloud-based detection model, the more detection data we aggregate in the cloud, the faster we can make a determination on any new file in the world. Every time anybody else installs the software, you are a little bit more protected. If File X is doing something bad on another Webroot-protected computer somewhere else in the world, Webroot doesn’t only make a rules-based determination on that computer but also flags File X as a bad file globally, marking it as a file to automatically be determined as bad anywhere else in the world at the same time. Once it’s been globally determined, WSA doesn’t need to employ a behavioral detection to figure out if File X is good or bad anymore because it already knows this based on the unique file signature housed in the cloud.
5. Webroot SecureAnywhere is compatible with any other antivirus protection available. It was specifically designed to recognize who the good guys are. It will never try to quarantine or break another antivirus program. It will never battle over the right to act first against a threat. While it’s unnecessary to run another antivirus program, a lot of people like to take the approach of doubling-down on their security regardless. Recognizing this fact, Webroot SecureAnywhere will allow you to run any other antivirus software you want alongside it, and it will not interfere. That means it doesn’t slow down your system with incompatibility issues and conflicts.
Hopefully this helps to clarify why Webroot SecureAnywhere is both better and faster than the traditional antivirus models.
If you read this whole thing, you deserve a kudo from me! :D