They aren't too hard to implement. I use software restrictions policies on the computer part of the GPO to block exes from %temp% %tmp% etc. This can cause some problems with installations, but you can always remove the restriction, run the install, and then add the restriction back.
The exe whitelisting is a bit more tedious. It is easy for a user to bypass, but it seems to prevent several malware infections. I haven't seen any users bypassing it, but that obviously doesn't mean that they aren't. :) I use the 'Run only allowed Windows executables' on the user side of the GPO. You basically just build a list of allowed exe names.
Having users run without admin privs seems to be a key element in our stability. Sure, it means a bit more work for me, but it pays off in the long run.
I have found Spybot to be lacking in the past couple years. My preferred spyware program is MBAM and secondly SuperAntiSpyware. However, Spybot is good at finding PUPs and modified Windows security settings in the registry so I usually finish up with that.
Well I use MBAM and Spybot as they do tend to find different things. One additional comment is that MBAM is updated very, very frequently, whereas SpyBot isn't quite so often.
Another one I use is A-Squared, as once again it will find different things.
Mainly I am dictated to by customer requirements, which are usually "quick and cheap", so a reinstall is frequently the obvious answer.
I would agree that most things can be cleaned unless it is one that replaces executables with its own code. You would have to do a repair install anyway so no advantage in letting an AV delete the files for you.
If I find a rootkit or suspect that a trojan has actually run on the machine I would also reinstall as a matter of course.
I think that you need to look at how your anti-malware works as well?
I get calls from people that their AV has reported a virus (usually a trojan as it goes). What has actually happened is that the AV has detected something possibly nasty and has blocked access to it and issued an alert.
Sure, it's still there waiting to happen, but the AV won't let it run, unless you turn the AV off............. now if they have done that I ALLWAYS reinstall .............." haven't backed up your personal data? oh dear!" :lildevil:
Other AVs will quarantine suspicious stuff, but I never let an AV go ahead and delete without human intervention.
I take the view that once you have let it out of the bag then you don't know where it has gone, so a repair install is inadequate.
I believe that the most important feature of security software isn't the speed of scan or whatever they actually detect, it's what they detect at the perimeter and prevent from happening unless you OK it. At that stage in the game I really don't mind false positives.