One of the things that ThreatSTOP does is protect against known malware dropboxes - that is to say the servers that actually deliver the "Fake AV" or trojan when you accidentally visit the "wrong page". Of course these days the "wrong page" is frequently just the ads delivered at an otherwise perfectly legitimate page. Furthermore as companies like Sucuri point out repeatedly, cyber criminals use a variety of security exploits to add malicious PHP to all sorts of blogs and hosted websites. What is potentially worse is that, as the Inquirer reported recently, popular social media sites like Facebook and YouTube are hosting thousands of pages which contain malware links.
The problem here is that it is impossible to block the entire site (or hosting provider) because after a while you would end up blocking the entire Internet - and, while the problem pages are often on non-work related sites, attempting to enforce access controls to stop users visiting these sites will not stop the malware because it will also be on other legitimately work-related sites too. However because the malware is never actually hosted on these sites - the malware vendors put in iframes and other tools that link to hosts they control because they can't, usually, deploy the malware directly on the site or ad network - it is possible to limit the damage and ThreatSTOP is a key part of that damage limitation.
Since ThreatSTOP blocks access to the known bad IP addresses which actually have the malware to be installed, if a user on a ThreatSTOP protected network is directed to a malware site the browser will time out rather than actually deliver anything - and the network administrator will get a report the next day to show what happened so a virus scan can be performed to verify that the user's computer remained clean.
Now it has it be said that ThreatSTOP is not the only way that you can guard against malware and indeed ThreatSTOP should be considered to be just part of the strategy. Services such as OpenDNS block the resolution of known bad hostnames and products like Websense block suspicious URLs and the like, both of which are extremely valuable complements to our service. Furthermore users can use products like Noscript to block a lot of flash and javascript, which is usually where the exploit is, and in particulat to block against XSS exploits. The wise Internet user or organization will use all of these products in tandem.
PS Somewhat ironically one of my favorite webcomics was hacked over the weekend, I say ironically because the previous cartoon could have applied to my last post: