While anti-virus software is an important component to a secure defense, it is a tool that addresses a portion of the problem. Alfred Huger, VP of Engineering for 
anti-virus vendor Immunet, described the effectiveness of an anti-virus program similar to the effectiveness of a seat belt. The safety feature will only possibly protect you in the event of a crash. While it is a necessity to wear it every time you operate a vehicle, you need other larger-scale measures to prevent the accident.
In a study conducted by Microsoft, they found that when 5.7 million PC’s with AV protection were scanned, 62% had Trojan viruses on them, and 20% were re-infected after they were fixed. Enterprises are encountering the same problems as end users. A survey conducted by the Yankee Group Security Leaders found that 99% of enterprises had anti-virus programs at the time of the survey and 62% still had virus infections. The bottom line is that anti-virus software alone is an ineffective way to protect your PC and always will be.
Anti-virus is ineffective for a number of reasons such as malware mutations, software vulnerabilities, and end-user maintenance/concern. New and old malware is constantly surfacing and changing algorithms to stay ahead of signature based security measures. According to David Harley, board member of the Anti-Malware Testing Standards Organization, over 100,000 new malicious programs are released onto the Internet every day. It takes an average of 45 hours for the top 5 anti-virus vendors to detect the latest threats. This result is AV failing to protect against 80% of new viruses and computers relying on anti-virus being susceptible to attack from new mutations.
There are also software vulnerabilities that are not dealt with adequately. Some users update their operating systems, but most do not update their software packages. This leaves computers vulnerable to later-discovered bugs that now give cybercriminals an open door into your system. Updates are a full-time commitment and beyond updating the latest security patches, users should also include certified email, web page scanners, and browser security tools in their overall defense strategy.
Anti-virus is helpful when protecting against already known intruders, but does virtually nothing for unknown intruders. Anti-virus is one small piece to a very large security puzzle. A system needs a variety of mechanisms to be truly protected from cybercriminals such as firewalls, port monitors, content filters, and most importantly anti-Trojan applications. The key to a solid security defense is blocking or disrupting communications, particularly with the Command and Control (C&C), so that the infection is harmless and cannot spread.
The greatest argument for why anti-virus isn’t effective is because end users are left with the responsibility to defend themselves and most know and care little about what they are trying to control. End users may disable their anti-virus updates or their anti-virus software all-together due to impacting their overall use of the computer. The average PC owner cannot be left with the sole responsibility of protecting their personal information, any more than a person is solely responsible for protecting themselves against new strains of flu or other diseases. Experts are required and often need to take action not just at the point of infection but also in the surrounding regions in order to be effective.
-Marc
