So, purely from a statistical basis, preventing 80% to 90% of malware coming in to your organization that way sounds great, but is that the threat you're really worried about? A piece of malware that scrapes Facebook and login credentials and will be blocked automatically by the host-based protection suite you've already deployed.

No, the threat to business lays elsewhere and the tools being positioned to fill that legacy antivirus gap have significant weaknesses.

For some reason vendors continue to tap-dance around the weaknesses of automated dynamic analysis systems, calling malware samples that evade detection as sophisticated and advanced, as if you're unlikely to ever encounter them. Sure, the technical aspects of evading sandboxing and automated analysis platforms may be specialized, but it's been largely a commodity technique for at least the last five years (just do a Google search for "malware armoring").

Today, probably about a third of all suspicious binaries traversing corporate networks that will eventually be categorized as being part of infiltration or espionage threats are VM-aware or capable of bypassing not only the current generation of automated dynamic analysis systems, but also any subsequent iteration of that technological path.

Not only are there umpteen subtle technical methods in which the malware author can detect the presence of the virtual analysis environment, but there are an almost unlimited number of unsophisticated ways to trivially achieve the same, which will be further "commoditized" to become commonplace generic Internet threats in the very near future.