Most vendors eventually quarantine or delete, but they often don’t repair what was changed in the registry.

In my experience, end users won’t call the helpdesk or administrator because the anti-virus “worked”, albeit several weeks/months later. Everyone admits that once an infected computer is on irc : game over. Unencrypted bots only allows the IDS to blink so you get that warm fuzzy feeling that you’re discovering new viruses.

Simply put, if antivirus discovers an infection, re-image.

Reality is : custom attacks are happening and will never be detected until money or intel is identified as stolen & true incident response kicks in.