The articles below are an interesting read but I don't fully agree that whitelisting is the only way to go.

There is also containment and deletion through sandboxing / virtualization / snapshots.

Some industry analysts are proclaiming the traditional antivirus method for detecting and eradicating viruses, trojans, spyware and other baneful code by matching it against a signature to be ?dead."

Tradititional AVs dead

The traditional signature-based method to detect viruses and other malware is increasingly seen as an insufficient defense given the rapid pace at which attackers are churning out virus and spyware variants. All of which raises the question: What?s next?

New approaches to malware detection

White-listing seems like a step towards TCPA and the death of freeware...

Be-cause you just know they will charge companies to get on the white-list.

::edit::

...which means sooner or later it will be comprimised...

One of the reasons I like NOD32. From what I've read, the best proactive protection you can get. However, its overall detection rates have

been going down - Hopefully this will change for version 3. Nevertheless it's one of the best anti-malware software you can buy.

NOD32 is my fav