About a year ago I went through the process of evaluating AV’s for the company I was working for.
What I did was the following:

  1. Setup some detection tests using Eicar and some “wild” viruses.
  2. I asked some vendors that I had short-listed (Symantec, Sophos, Panda, Fortinet) to provide fully fledged versions.
  3. For each of the vendors I looked up their listed vulnerabilities in the past year (ovdb) and the time it took them to issue and install an update.
  4. Compared the upgrade strategy: engine, threat DB, application; some vendors don’t automatically give you all of that.
  5. Used info from http://virusbtn.com to compare some results in time.
  6. Setup demos to see them in action, and test their reporting capabilities in real time.
  7. After all the technical work, of course $$$ came into play.

With the information I made a BIG table and put some weights on the items and let the best player win.

 

PS: For those who will ask, Sophos came out with the best results in our environment.