What is CIS doing? it is NOT an AV. You may not want to use the “best AV.” You want to use the best overall security scheme. This is a different question, unless you say “best AV” means the AV that fits in best with my other security components.
The old paradigm, which is not followed by security products now, was entirely a “housecleaning” model. The maid went through the house thoroughly removing dirt and stains, leaving only “clean” rooms. No lock on the door to prevent the dirt coming in. The maid who could recognize and cleanup dirt best was the best servant. The signature base was critical. If the cleanup was good and fast, it would be done before the dirt caused any harm.
As AV products developed, the “maid” became more of a “butler” who watched what was going on and fetched things for the master and mistress of the house. If the silver was not polished enough when the table was set, or the master of the house required to use a room, the butler would check it on the fly and order the servants to clean it then in “real time.” Of course the bultler would also watch how the other servants performed, and if one did not perform correctly, or was using dirty silver in the kitchen, he would catch that on the fly. Thus was born “heuristic analysis” and “behaviour blocking.” BOC was a novel innovation with slightly different focus, looking at the very last minute before use of an item, and making one last check as an item was “unpackaged” and raised for use in the masters hand. Still signature base was important, but it greatly simplified the task of catching dirt because the examination was at the key time and involved looking at a smaller comparison signature base.
Somewhere along the line the idea was developed to close windows and doors, and watch traffic, requiring “dirty shoes off” and no dirt allowed in! Real time AV began to merge with a firewall concept. Firewalls unfortunately are noisy and whenever anyone knocks on the door to enter, you either have to have a rule set for entry or check with the master and seek permission to enter.
Melih has used a similar seurity metaphor, door locks, burglar alarms, security sweeps, etc. to describe CIS pointing out that the job is so difficult to close windows and doors and watch all the traffic as it enters and leaves, that you will often fail to stop the dirt from getting in, fail to clean things up, or miss it when you check later. Even a great butler might miss things! So the idea of whitelisting was introduced, only allow known clean items to be used. This is a bit like keeping bright shiny new clean things in a pantry or cabinet and ONLY using those things. Seek approval from the master anytime anything else is used. So now we have the noisy and annoying result that many complain about.
CIS uses a layered approach. The key to its success is how well it combines all the methods, and whether that combination of technologies succeed best in the end.
Signature base, and cleanup skill are only part of the mix. So, the choice of AV is dependent on the other security components, not only how well they work but how well integrated the components are. NO current AV testing really tests end results of a combination or tests degree of integration.