AV is ineffective. It does some things but not nearly enough to justify its cost, performance hit, and other problems. You only need to work in IT for a while, especially with the front-end of business and networks, to see this. We deploy it because even some things like PCI certification require "up-to-date anti-virus".
In all the years I've been deploying AV, I've seen it stop only a bare handful of the most benign infections. Most of the real ones, that start popping up pornography on student's PCs, or trying to delete entire drives, or even things like "encrypting" every single file on every shared network drive that it has write access to and deleting the original, have gone undetected no matter what the manufacturer, or how often you apply updates.
AV is a bouncer's list of who not to let in, and about as accurate. Sure, it stops some known troublemakers but 90% of the people who start a fight inside the club aren't being dealt with for years after their release (my bursar just got an AV update that marked an email that was FIVE YEARS OLD in his archive as a virus - it was a true detection, but it took that long for the signatures to appear that it could recognise it). You wouldn't let your bouncer JUST stop the people on his list and ignore the fights breaking out behind him (which is the bit that SHOULD be dealt with by "heuristics" but they are even more performance-killing and ineffective), so why do we tolerate AV?
Basically AV is a miner's canary. When it falls over, because a virus has disabled it usually, that's tells you something is wrong. That's not the ONLY indication you are given, and sometimes it doesn't give an indication at all. But it's the only useful purpose of AV (and I've seen more AV drop off the network because a virus turned it off, even without admin access!, than I have successful network detection of viruses).
We use it because some stupid people think it's necessary. What the actual fix is is less-powerful users, easier-to-control permissions, and easier-to-roll-back-from-anything systems (I should not have to put entire machines back to a known-good state just because one program as a limited user ran riot and infected their own files). Until then, AV companies will still reel in the money detecting next-to-nothing and ghosts in the machine rather than actually STOPPING programs being able to delete or write to arbitrary files without permission.