Why is a dynamic or real-time scanner required for all use-cases and on every machine? I can understand if it's mission-critical or something but most PCs are already secure behind several layers. For example, your enterprise firewall itself is a kind of virus/malware scanner, most of the malware links/scripts would be blocked at that layer itself. Another layer is Windows itself which has a built-in scanner called Defender. And even after that, there are offline scanners like ClamAV which can scan individual files on demand. If you have a habit of scanning every file after downloading it, why do you need a real-time scanner at all?
The payload of a malware program could be encrypted with a regenerated key so that the only constant part of the program would be the part that does decryption and transfer of control. If you had a compiler that could generate highly diverse versions of the decryption routine (see "polymorphic malware") such a system is difficult or impossible for a signature-based system to detect.<p>Signature-based systems are inefficient in the sense that almost all of the signatures in your database are not active threats: ClamAV has more than 4 million signatures. A new worm could spread across the internet in less than 24 hours giving very little time to develop, test and deploy signatures.
ClamAV is not a good example. Being an open-source volunteer-maintained thing that started as being specifically for scanning email it has a terrible detection rate at finding general windows malware compared to commercial products.<p>Anecdotally, based on uploading exe's that I come across to virustotal, ClamAV detects 10% of malware that the well known AV packages alert on.