SOPHOS VS AVIRA Problems ... Which one do you use

Question

I was going to mention this in the RC1 thread but it is not really firmware related. Before Sophos got into the UTM business, I had always thought of them as an AV company but mostly for Macs. I have noticed an alarming trend lately, Avira catches more viruses than Sophos, however sophos is the recommended engine in XG and UTM9 (due to PUA detection) and sandstorm functionality. 
 I got a couple of random files from virustotal and tried them on UTM9 and sophos XG v16.0.5... In both cases sophos passes the virus. Sad part is that even windows defender catches these files as Trojan:Win32/Spursint.F!cl[:(] 
 Here are my settings 
 
 File is passed 
 
 The same file is blocked if I switch to AVIRA for AV scan. 
 
 This is not UTM9 forum but sachingurung and Aditya Patel are regular mods that visit both forums, so I will post a few lines from UTM9 also for reference. 
 UTM9 blocking with Avira AV 
 2017:01:05-11:45:01 gatekeeper httpproxy[47665]: id="0056" severity="info" sys="SecureWeb" sub="http" name= "web request blocked, virus detected" action="block" method="GET" srcip="192.168.0.3" dstip="46.105.105.167" user="" group="" ad_domain="" statuscode=" 403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Custom Filtering)" size="2880" request="0x1a1c6400" url=" img2.file-upload.cc:182/.../adobe.snr.patch.v2.0-painter.rar " referer="www.file-upload.cc/1yr4qa3kz04d " error="" authtime="0" dnstime="108103" cattime="8463582" avscantime="230576" fullreqtime="11534935" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" exceptions="" category="170" reputation="unverified" categoryname="Personal Network Storage" country="France" content-type="application/octet-stream" engine="Avira" virus="TR/Rogue.xqioq " 
 UTM9 allowing the same file with Sophos AV 
 2017:01:05-11:50:24 gatekeeper httpproxy[48749]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.0.3" dstip="46.105.105.167" user="" group="" ad_domain="" statuscode= "200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Custom Filtering)" size="685900" request="0xe1214c00" url=" img2.file-upload.cc:182/.../adobe.snr.patch.v2.0-painter.rar " referer="www.file-upload.cc/1yr4qa3kz04d" error="" authtime="0" dnstime="68936" cattime="360" avscantime="987168" fullreqtime="3563482" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" exceptions="" category="170" reputation="unverified" categoryname="Personal Network Storage" country="France" content-type="application/octet-stream" sandbox="1" 
 
 NOTES: XG was tested with www69.zippyshare.com/v/DyN937Yx/file.html and the referer for UTM9 is in the logs.

lferrara · Accepted Answer

Bill, 
 it depends on what you are trying to achieve on your box. 
 If you need extreme protection, enable both AV and make sure the AV you use inside your PC/Devices is even different from Sophos and Avira. 
 Defense in depth is the best protection ever. Sophos, Kaspersky, Symantec, Avira, etc... will always fail sometimes because they use Signature (false positive and false negative as your case). 
 We are moving a new era where a single protection is not enough and we need more tools that are a mix of behaviour and signature analysis (like InterceptX). 
 At home I am using XG where Avira is enabled and Sophos Cloud on all my devices.