I have several clients with centrally-managed corporate AV. Over the last year or so I've seen those systems catch a relatively small number of threats, the users have been warned against indiscriminate non-business Internet access, and I've given them basic training in safe use of the Internet and computing in general. In that same time, 5 of their machines have been infected with serious to extremely serious rootkits. A couple of weeks ago, I spent a couple of hours trying to disinfect one of them, and gave up because the machine is a few years old and not worth even replacing the hard drive. We junked it and replaced it. However, that machine attacked two others on the LAN, trashing the AV on one and the network stack on another. All 3 machines were Symantec corporate Endpoint Protection.

So in my experience in the last while, the ratio of threats averted to machines infected is not very good.

>In all the years I have run AV, I can only think of one time that malware got through. But I've seen it catch more malware than I can remember. In my book, that's a win.
>
>>When you really need them, seat belts will probably function.
>>
>>When you really need it, AV often does not. In fact, the more serious the threat, the more likely AV won't work.