OSNews

1. Ineffective.
virus.gr used to run extensive tests on detection rates of all anti-virus software and publish monthly results. The last one I have shows Kaspersky rather effective at 99%.
McAfee Enterprise 91%
Symantec 83%
For Symantec, the most popular antivirus in the world, that is a fantastic double digit failure rate of 17%.

2. Ineffective
Most viruses source code is readily available online. A few small changes and this "new" virus is invisible to almost all virus scanners. Too much trouble? Recompile it - chances are this "new" compiled version will also not be detected since it isn't exactly like the one on record. Don't have the source or really lazy? Compress the executable and you'll find again that most anti-virus scanners fail to see it.

3. Black list
Absolutely can not work when there are hundreds, perhaps thousands of new additions to the list *daily*. See #1

4. Cure is worse than the disease.
Many people have Norton (not Symantec) installed on their home computers for protection.
This causes system instability, incredible slowdowns and in most cases it can not be removed by its own uninstaller. When its uninstaller does not fail, much is still left behind.
At work, Sunday morning is filled with tech calls regarding lockups and slowdowns. One of the major servers is being scanned for viruses. If a virus hit on Sunday morning, no one would notice anything out of the ordinary.

5. Subscription
Few pay it. Few want to. Most feel they shouldn't have to. They are right. The OS should not be *that* vulnerable to begin with.

6. Apathy
The "background noise" of the Internet is due to millions of virus or trojan (zombie) Windows machines. Slow, crash-prone, and loaded with spyware and adware popups, and the user will still click it all away, agreeing to anything just so they can check their bank to see if they can afford that Dancing Bunny on ebay. This is also related to #5. If the user has a significant role in the security of the system, it won't be secure.

7. And finally, The Dancing Bunny Problem
"What's the dancing bunnies problem?
It's a description of what happens when a user receives an email message that says 'click here to see the dancing bunnies'.

The user wants to see the dancing bunnies, so they click there. It doesn't matter how much you try to dissuade them, if they want to see the dancing bunnies, then by gum, they're going to see the dancing bunnies. It doesn't matter how many technical hurdles you put in their way, if they stop the user from seeing the dancing bunny, then they're going to go and see the dancing bunny.

[UAC: DancingBunnys.exe, Cancel or Allow?]

There are lots of techniques for mitigating the dancing bunny problem. There's strict privilege separation - users don't have access to any locations that can harm them. You can make the user invoke magic commands to make code executable (chmod +e dancingbunnies). You can force the user to input a password when they want to access resources. You can do lots and lots of things.

However, at the end of the day, the user still wants to see the dancing bunny, and they'll do whatever is necessary to bypass your carefully constructed barriers in order to see the bunny."

In OS design, the Dancing Bunny's problem should ALWAYS be considered and carefully crafted medium between usability and security to include least privileges, password protected rights elevation, and secure defaults.

Windows has failed to deal with Dancing Bunnys for decades. Vista still does not effectively deal with this problem.

Viruses and spyware will only stop, or come to a much more reasonable classification of "rare" when Microsoft designs an OS that is resistant (limited users with password protected elevations) to the Dancing Bunnys problem. Any other solution, including anti-virus, is a poor substitute for real OS and computer security.