There seem to be at least three different concepts of malware defense.
1. Definitions
Recognize everything by signature and when it comes into the machine, get it out or stop it from running. This is heavy on the machine, because there are so many millions of definitions out there and increasing daily that the definitions files are bigger than the O/S. It is fairly fast, accurate, but has to be updated constantly. There is no protection without the signature.
2. Everything is in the cloud
This is light on the system, fast, can have as many definitions as you want and heuristic detection is on the machine. It isn't much good if you can't reach the cloud, as mentioned by AV-comparatives.
3. Combination
This reduces the amount of definitions required, and relies partially on the cloud, which is the way Symantec chose to go. There is reduced protection without the cloud, but if infected there is still some utility in the program. With the cloud, there is file recognition, heuristics, and a zillion signatures.
All antivirus programs work, to a large degree. All have strengths and weaknesses. We are suffering a crisis of faith over a difference between 95% effectiveness and 99% on a limited test. One thing to consider, is that it was the false positives that lowered Symantec's rating on this test. No user is going to have all 57 items that threw FP's on the same machine so the actual detection rate is higher. Avast free looks very, very good, but there are still Avast users on the malware removal forums getting assistance. Nothing is perfect.
Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain
