No a/v, not matter how expensive or how good, will ever protect a workstation from a new or zero day malware doing the rounds. You need to stop it before it gets in. Once its on the workstation, its goodbye workstation. You ever listen to Leo or Steve Gibson on Security Now, or TWIT talking about malware infections on workstations (windows, no doubt)? HDformat the drive and start again. The only way is to only allow in whats needed. Content filter the web, stop those dlls and exes getting in; whitelist those you need. Filter the SMTP to stop all unwanted attachments and check the spam blackholes. Most importantly, have IDS/IPS to alert you when its going on; all defences need realtime alerts to let you know if some workstation is (trying) to go where its shouldn't. You don't need to shell out for cisco, look at something like this: http://i-firewall.co.uk. Gibson runs XP and no a/v. No A/V! You'd think he must be mad, wouldn't you?