the system can get infected with active and up-to -date antivirus via several ways (included but not limited to):
- infection is spread from infected system memory to your system memory (worms)
- infection is blended (trojan) and first stage is the downloader (might be blocked via GTI/Artemis) or autorun file
- infected file created within the area or file type that is excluded from OAS scope
- OAS/McShield being disabled/killed/stopped by infector due to not enabled/missing Access Protection rule(s) or VSE process vulnerability
I hope I could be of help.
Another to add -
Launching infected code directly from unprotected shares. This puts the malware into memory.
The local real-time scanner would only scan in that scenario if Network drive scanning were enabled, which is not a recommended setting (off by default).
Most common scenario for this is Users accessing files on Filers or other remote storage.
Another thing could be a missing important security patch on the infected machine.
This could cause a worm to propagate itself without AV detection.
and just to add my 2cents, any virusscan can only identify known viruses. there is nothing you can do to prevent new viruses if there is no definition for it.