We've been using the Anti-spyware plugin for VSE 8.7, but also use a variety of other network-style tools. A decent perimeter device like BlueCoat or PaloAlto, combined with your choice of IDS/IPS should help considerably without adding too much delay to normal web-browsing.
You may also want to look at controlling what user-agent strings are allowed to reach-out of your network. Filtering out non-standard browsers and applications will cut down on the garbage floating around. Most people are amazed at what they catch users doing.
rdefino, Are you guys happy with Fireeye? Were others evaluated before selecting them? Why'd you choose fireeye?
Fireeye and its competitors of Damballa and NetWitness Spectrum are being evaluated here. You are spot on in identifying that AV (regardless of manufacturer) is a very broken and ineffective technology these days. Despite its shockingly low effectiveness against modern malware, though, you can't pass many audits if you just forgo AV entirely, and it is decent for detecting old and rather common malware. That said, we use mcafee vse w/ antispyware. Things like preventing execution from temp directories has saved us infections on many occasions.
As Joel mentioned, application layer proxies like Bluecoat or application layer aware nextgen firewalls like PaloAlto are part of what's needed today--something that factors in site reputation and blocks based on categorization. Fireeye factors those things into its protections too from what I can see.
Application whitelisting should be considered strongly for servers. The infinitely large list of bad stuff can be largely ignored if you can instead just whitelist the suite of good stuff. This matches up pretty well to a server's application mix. I have my doubts on whether it'll ever be flexible enough for most desktop workloads though without causing major support headaches.
Message was edited by: Regis on 7/15/11 9:19:37 AM CDT