About a year ago I went through the process of evaluating AV’s for the company I was working for. What I did was setup some detection tests using Eicar and some “wild” viruses. Additionally I asked the vendors I chose from instinct: symantec, Sophos, Panda, Fortinet and looked up their listed vuln. in the past year (ovdb) and the time it took them to issue and install an update. I compared the upgrade strategy: engine, threat DB, application; some vendors don’t automatically give you all of that. Used info from http://virusbtn.com to compare some results in time. Setup demos to see them in action, and test their reporting capabilities in real time. After all that of coarse $$$ came into play. With that information I made a BIG table and put some weights on the items and let the best player win. For those who will ask, Sophos came out with the best results in our environment.