SecureAnywhere™ Business Endpoint Protection

Instantaneous protection and fast scans without the hassle of time-consuming patches and signature updates.

Smarter, Faster and More Effective Protection

• Instantaneous Cloud-Predictive Malware Protection

• 750 KB Client: Installs, Scans & Protects In Seconds

• No Conflicts with Existing Security or Endpoint Software

• Advanced Offline Protection Against Zero-Day & Highly Adaptive Threats

• Complete User Agent Policy Controls & Protection

• Browser Identity & Privacy Shield

• Powerful Endpoint Agent Commands

• "Last Good State" Endpoint Rollback & Remediation

• System Cleaner Performance & Productivity Tools

Webroot SecureAnywhere® - Endpoint Protection is the next generation of endpoint security. It's smarter, faster, more effective, and much easier to use and deploy.

Webroot SecureAnywhere® uses a distributed model wherein the threat intelligence gathered from endpoints around the world instantly protects all other endpoints that use the Webroot Intelligence Network, creating a 24/7 circle of protection. We call it Cloud Predictive Intelligence, and when leveraged along with the Webroot SecureAnywhere Agent's advanced behavioral heuristics, outbound firewall, and offline protection, endpoints no longer have to rely on large signature updates to remain protected from malware threats.

Cloud Predictive Intelligence is the method Webroot® uses to assess whether existing, new or changed files and processes are safe to run on a user's machine.

When the Webroot SecureAnywhere® Agent is first installed, it scans the endpoint to build a local cache of all the files and processes already present. It then continuously monitors for new or changed files that are attempting, or are poised, to execute. Files are instantaneously validated against the Webroot Intelligence Network to make a categorization as 'known good' or 'known bad'. If a determination of 'known good' or 'known bad' cannot be made, files go into a third category: 'unknown/undetermined'.

The Cloud Predictive Intelligence process flow for a 'known good' file
The Cloud Predictive Intelligence process flow for a 'known good' file

The Cloud Predictive Intelligence process flow for a 'known bad' file
The Cloud Predictive Intelligence process flow for a 'known bad' file

The Cloud Predictive Intelligence process flow for an 'unknown/undetermined' file
The Cloud Predictive Intelligence process flow for an 'unknown/undetermined' file

How it Works

When a new file is identified or an existing file is changed, a file hash is created on the local endpoint. That hash is then encrypted and securely sent to the Webroot Intelligence Network.

Known Safe

If the Webroot Intelligence Network has seen the file before, and it is 'known good', the determination is sent back to the endpoint and the file is allowed to execute.

Known Malicious

If the Webroot Intelligence Network has seen the file before, and makes a 'known bad' determination, the file is immediately quarantined and blocked from being able to execute.


The most significant risk to endpoints is from newly released malware, also known as a Zero Day threat. In this scenario, the file has never been seen before, so the Webroot Intelligence Network is unable to make an instantaneous determination based on the file hash alone. Rather than assuming the file is not a threat because it is not 'known bad', the agent monitors the file's execution and records which other files are touched, changes that are made, and any network activity that is attempted without compromising the endpoint. The behaviors from this pseudo-execution are analyzed in more detail and matched against the Webroot Intelligence Network's database of behavioral rule sets.

If a definitive determination is still not possible based on the behavior, the file is then allowed to run on the endpoint. Full monitoring and journaling runs alongside all the other Webroot security shields until the new file can be clearly identified as 'known good' or 'known bad'. Any behaviors that exhibit malware behaviors are immediately blocked despite the allowed file execution.

When the Webroot Intelligence Network has enough information about the file to accurately identify it as 'known bad', it will block any further execution, quarantine the file, and roll back any changes that have been made based on the information journaled since the file was first identified on the endpoint. This will restore the machine to the pre-infection state.

Strength in Numbers

Additionally, if a file is determined as 'known bad', all other endpoints in the network that might encounter this program are automatically protected as well because the file hash is updated in the Webroot Intelligence Network. This means the next time that file is seen, there is no need to do a behavioral analysis or journaling, because the file hash will immediately be identified as malware upon the first check.

Safeguards Against False Positives

If a file has been determined as 'known bad' by the Webroot Intelligence Network, but is being run intentionally in an environment, administrators have the ability to set an override to allow its continued use. For instance, a keylogger may have been legitimately deployed within a network for IT or development work. Webroot SecureAnywhere is likely to classify this type of file as 'known bad' since it exhibits malicious keylogger behaviors. This would be an inaccurate determination for a specific set of users in this environment. With Webroot SecureAnywhere, an administrator is able to immediately override a 'known bad' determination with a few mouse clicks from within the web management console and re-classify the file as 'known good' for their network.