[lmm]

> in many cases AV software was deliberately disabled by user

Right, because the only way AV software can ever be effective is if it blocks things that legitimate programs also do (if a given piece of functionality has no legitimate uses it wouldn't be in the OS in the first place) - so users get in the habit of disabling it. Installing a piece of software that e.g. stops you running any downloaded .exe files is useless - if you didn't want to run the .exe you wouldn't be trying to run it, and if you do want to run it you'll turn off the antivirus. If you just want to disallow it completely, you can do that at the OS level easily enough.

There is no magic that AV can do to make it any easier to tell legitimate software from not. Reactive scanning for specific threats is ineffective in the modern era - by the time AV knows about a new form of malware most of the damage has already been done. So all that AV can do is monitor what programs do and apply inherently unreliable heuristics, and maybe be more or less sensitive about those heuristics than the OS is.

[ivan_gammel]

Example with .exe files isn't good one. Modern AVs may do better job than just blocking them. I use Norton AV, which shows a report summary on new downloaded files, based on which I can make informed decision on whether to launch it or not (I personally launch immediately only trusted executables and google for any issues of the rest). The same can be done with all threats: AVs warn, provide some details and let users decide what to do.

[lmm]

> I use Norton AV, which shows a report summary on new downloaded files, based on which I can make informed decision on whether to launch it or not (I personally launch immediately only trusted executables and google for any issues of the rest).

Trusted in what sense? Does Norton maintain their own whitelist? Is there any reason to believe that whitelist would be any better than the digital signature check that's built into windows?

> based on which I can make informed decision on whether to launch it or not (I personally launch immediately only trusted executables and google for any issues of the rest). The same can be done with all threats: AVs warn, provide some details and let users decide what to do.

But what information can the AV offer that actually helps the user makes a better decision than they would have otherwise?

[ivan_gammel]

For apps looks like they have a whitelist based on usage statistics, so it's basically vetting by other users of NAV. It does not replace digital signature check, but it's a good addition to it.

For other threats it can be similar solution.