- On preview, this is a big-assed reply, and kind of rambling too. I apologize in advance -
control-z, I knew we’d meet again! 
Listen, you are entirely in your rights to take issue with what you see as bloated, potentially ineffective products. And if you feel confident you can compute safely without AV software on your system, great. Good on you.
I will acquiesce your point that the market-leading consumer versions may be a bit heavy on the unnecessary features and the cute and pretty user-comforting GUIs, both of which can bog a system down. However, were it not for the Norton, McAfee and the like with their “feature bloat”, the average low-tech end-user would not run AV software. And let’s face it, the average, low-tech end-user is a major source of the security problem - I don’t say this to be smug or insulting, it’s just a truism that will never change.
As I mentioned in this thread, I use a corporate AV product because I work for an AV company, so I can’t really speak to specific issues with consumer products, and ethically, can’t really promote my company’s product - if you think it sucks, then good for you. But I can defend the use of AV software in general.
Let me put it like this - we’ve all heard stories from computer professionals about the system that gets infected even though AV software is installed on it. Well, keep in mind, that the malware got on the system despite the presence of AV software, not because of it. If AV software had never, at any point, been installed on the user’s system, imagine how much worse the problem would have been? If the end-user had been clicking attachments with impunity, and installing spyware-attached “freeware” to their heart’s content, without any protection on the system, how bad would the problem have been then?
Here’s the crux of the issue. People have said, in this thread, and in many other places, that AV vendors need to stop being reactive and start being proactive - that if someone could simply detect bad stuff that is about to happen on a system just because it looks like “bad stuff”, then you’d eliminate the need for regular updates. This ignores a couple hard facts: first, is the golden rule of security - one needs to assume that every security measure one takes will fail at some point, thus necessitating remediation. In the case of viruses/malware, this remediation is the quanrantining and removal of the threat. Even if realtime scanning fails for some reason - common reasons are an unknown threat disables it, the real-time engine isn’t running, or, commonly, the end-user turns it off before disconnecting - a manual scan can usually be run to find threats and remove them. So some kind of AV detection engine will always be needed for manual detection and removal of threats.
Second, to block threats by behavior requires pretty tight adminstration and control over the target system, to estabish the baseline of “good” behavior so one can then identify “bad” behavior. It’s easy enough to gripe that “bad behavior is pretty obvious, so just block it” - in reality, a lot of info needs to be fed into the security product before any blocking can occur. What applications you want to use, what filetypes they use, what protocols, ports, etc. etc. ad nauseum - if you’ve ever installed a client firewall like Norton Internet Security, ZoneAlarm, etc, these are those “annoying” popups you get the first couple weeks of using the product. The problem is that even when they have a client firewall installed the average low-tech end-user will often misconfigure the firewall rules so that stuff is blocked that shouldn’t be, or so that stuff that should be monitored is not.
To take control-z’s example of creating a startup rule for “Bob’s Beer Brewer” program - quite often, the untrained user will either misconfigure it to block, or worse, allow all communication on all ports and protocols. If it’s just “Bob’s Beer Brewer” that’s not much of a problem; but what if the rule is created for Outlook, or IE, or some spyware app that was just downloaded and installed?
control-z, you mentioned a rootkit on a system? If a rootkit got on a system with any decent AV product on it, either the end-user turned off the antivirus (or never had it turned on to begin with) or they installed it on an already-infected system. Or maybe their installation of Windows was severely hosed and the AV product never hooked into the API properly. Every major AV vendor ensures that their stuff goes out the door capable of detecting the most severe threats by default, out of the box - to not do so would be irresponsible. What happens from the time the product is taken out of the box, installed on the system, and configured, is entirely to the end-user or system builder.
It also doesn’t help that a great many mainstream applications instruct the user to turn off AV and firewall software before starting an application - The Sims 2 for example. Once the security software is turned off, the system is wide open to infection if still connected to the internet. Not all viruses these days require someone to manually open an attachment - there are a ton of very common threats that simply require a specific vulnerability and a certain protocol to be available. Blaster, Welchia, Nimda, around 1,000 gaobot and spybot (not SpyBot S&D) variants. And unlike email viruses, which eventually stop due to their manual method of propogation, these threats never go away. Right now, I guarantee you there is a system connected to the internet churning out Nimda infection attempts, even though it’s 5 years old. And if you’re running an old Win2k or Win98 system without patches (trust me, there’s more of these out there than you think) and connect to the internet, you will be infected.
I guess after all this, what I’m trying to say is this - if one can compute and communicate safely, has a basic understanding of how to keep their system protected and secure, then great. There are a great many poeple out there who don’t understand the concepts involved, and frankly, many of them do not want to understand. As an example, my dad practically lives on his computer - he trades on eBay, uses email more than the phone, and plays a pretty mean game of Solitaire. But I have tried time and time again to explain some basic security concepts to him, and he just can’t grasp them. Same with many other friends and family. Hell, I have an uncle who used to teach university-level math - definitely the smartest guy in any room - I sat with him for an hour or so at Thanksgiving a few years ago trying to explain just what the hell I do for a living to no avail (as I mentioned in the other thread, I sell security software). These are the kind of users that will always go with a known brand, and will demand the kind of user-comforting features that tend to be perceived as “bloat”.
My last word (this is probably more than I’ve posted on the SDMB in three years) - effective, enduring security solutions will always involve a recurring fee structure. If everyone switched to Grisoft or Avast or (insert free AV product here), they could not scale. They would either go out of business, or begin charging a regular fee. The smaller, free solutions have the benefit of being niche players that have a base of technically experienced users - meaning that their users for the most part already compute safely. As more and more inexperienced users adopt such a solution, if the vendor didn’t buckle under the weight of an exponential increase in threat submissions due to both volume and an increasingly uneducated user base, they would collapse under the high-bandwidth demands of the update distribution infrastructure - unless they started charging.