Kaspersky's System Watcher feature has like capability and it is always one of the top scorers in AV labs tests: https://support.kaspersky.com/9101 Appears the AV Labs classify such activities as remediation and not protection activities. If Webroot does such activities automatically w/o alerting or recording via event log, the malicious activities is where they could get dinged by the AV labs. Note that in the AV lab dynamic tests, usually detection within a 24 hour period is considered positive detection. Such is not the case in the realtime tests. Also and notable is the elapsed time from initial infection to rollback mediation. If for example this was malware injecting the browser to capture your banking credentials, rollback processing is useless in preventing that from happening.