Yes Cider: a software/hardware and user Policy must be in place.. But user education is the most expensive, $ them, Time and stress for US.


Personally I do not use any AV on my personal PC. SWMBO and the guests PC has MS Security essentials... but only because I have to assume they do not know a good deal from a Nigerian Gift.


That being said, My business PC's are a different story – 13 of the 17 have AV software, but that is to do with something called "Compliance", for insurance and Statutory requirements – as well as the need to comply with the requirements of client network administrators.
My home and business networks are protected by a hardware firewall. Business is Cisco, home is Smoothwall/IPCop or whatever my f/w flavour of the month is..
I do not use my ISP's assigned DNS Servers on any of my networks.. Currently using OpenDNS.
I use an tool to automatically keep my Web facing/accessing applications patched/up to date. Out of policy this tool is installed into every one of our domestic client's PC that goes through our workshop .

On the subject of the “average non-PC-savvy Joe”. Most of the domestic PC issues that we have encountered over the past few years are attributed to issues DIRECTLY related to Vulnerabilities in Java, Flash and the Browser. Each of IE, FF, Opera and Chrome/Safari stand condemned.
Anyone on a Windows XX system that is running any browser unpatched, and or not running the current build of Java, Flash or PDF reader, REGARDLESS of their AV of choice are an open target to any of the Drive-by Parasite feasts.
Who remembers the Blaster worm.. OK if a certain port was being blocked on the firewall it was a non-issue.. but for those who didn’t - it was able to install it’s payload in spite of the Antivirus. AND THAT ISSUE STILL STANDS TODAY..
Now instead of knocking at the door (vis: attacking a vulnerable network facing service/port) they romp in via whatever Port your browser has open, as a bit of Java, Flash, or even a PDF file, stun and piss all over the AV then run off and download the balance of the package, to have the PC Owned in 60 seconds.
An anti-virus will not protect against that. They only do a half-hearted effort at the old email viruses. But Updating web facing apps will help reduce the risk, using a DNS service that at least locks out the known compromised IP addresses, a user friendly Script Blocker and, yes, a good Firewall – software and hardware.

The only real use for an AV for me, after "Compliance", is to assist in clean-up of client pc's after infection removal. Some of the “Security Suites” are now including update tools and “Intelligent Script Blocking” … not there yet.. but by the time they are.. the attack vector will be elsewhere.



BTW: the 4 of my Business PC's that do not have AV? 2 are *nix - 2 windows : on a isolated sub net ..