It is impossible to give definitive answers, it would mean that an AV is always 100% effective.
Advanced malware can install themselves by completely replacing the contents of a random system driver, to get the stealth by creating its own corrupt DEVICE_OBJECT and changing DeviceExtension pointer. In this way, the system, and also antivirus, see the infected driver as it was clean.
Some malware implement self-protection system: if the AV is trying to analyze its features, active in the system, it is immediately terminated, and also the executable file is made inaccessible.
Malicious drivers, in these cases (for example if you open a handle to the process or device used to usermode communication) changes the ACL (Access Control Lists are lists of access of an object that determine who can access the object and what they can do with it) of the executable file of the process in such a way to block access, and finally provides at the end of the current process, an APC routine.
