My friend. When i write, i usually follow a logical chain of thoughts, which by quoting selectively, you alter the meaning of what i write. For instance, you are trying to make point, but you "forget" what i added, to be MORE CLEAR (i even wrote so, exactly in order to be "more clear"). So i quote the part you forgot again. "To make myself more clear. HTTP scanner DOES add some more security because as explained by Vlk, there can be an exploit, that can be parsed from the browser, theoretically, in an unpatched system. In this case the real time scanner will intervene only after the execution." So, there you go, i don't doubt the experts' voice either. You thought so because you skipped my "more clear" point. Each vendor will praise HIS solution. If you ask Vlk , HTTP is a "must". Go ask Melih, and "HIPS is a must". Go ask Tzuk, "virtualization" is a must. So WHO is the best "expert"? No, i won't provide any evidence, since nobody has presented evidence to the opposite either. I call it common sense mostly. How many people have you heard being infected by executing something locally and how many executing an exploit through browser in an unpatched system, that their real time scanner (not the HTTP one) couldn't handle? I won't provide "evidence". I will leave it to anyone to think on his own. No, YOU are talking about HTTP scanners. This thread is about Twister. You want HTTP scanner? At the same fashion i want it to have HIPS! Where's the difference? That you can complain about the lack of a feature and i can't talk about another missing feature? That's nice reasoning! This thread is called "Twister Antivirus" (just a reminder). It's not called "HTTP scanners", as it isn't called "HIPS modules in AVs". So, if you can talk about HTTP scanners, why can't i speak of HIPS of sandobox modules? Yes, it is a supposition. Like yours that it won't become bloated. My supposition is, that usually, when adding more modules into a product, it becomes more bloated. Then again, may be not, but i would rather not take my chances. Regards. P.S: About this "It's perfectly possible and likely that Twister will remain light even with one: just ask NOD32 and avast!." Should i ask for proof that the HTTP scanner doesn't slow down browsing at all? Benchmark or something? Or that resource usage hasn't increased? Or, i will ask NOD 32, ok. (i won't google for "Http scanner slows down internet speed). Can i call this "unproven" and without statistics claim? Can i?