One of the things that ThreatSTOP does is protect against known malware dropboxes - that is to say the servers that actually deliver the "Fake AV" or trojan when you accidentally visit the "wrong page". Of course these days the "wrong page" is frequently just the ads delivered at an otherwise perfectly legitimate page. Furthermore as companies like Sucuri point out repeatedly, cyber criminals use a variety of security exploits to add malicious PHP to all sorts of blogs and hosted websites. What is potentially worse is that, as the Inquirer reported recently, popular social media sites like Facebook and YouTube are hosting thousands of pages which contain malware links.
The problem here is that it is impossible to block the entire site (or hosting provider) because after a while you would end up blocking the entire Internet - and, while the problem pages are often on non-work related sites, attempting to enforce access controls to stop users visiting these sites will not stop the malware because it will also be on other legitimately work-related sites too. However because the malware is never actually hosted on these sites - the malware vendors put in iframes and other tools that link to hosts they control because they can't, usually, deploy the malware directly on the site or ad network - it is possible to limit the damage and ThreatSTOP is a key part of that damage limitation.
Since ThreatSTOP blocks access to the known bad IP addresses which actually have the malware to be installed, if a user on a ThreatSTOP protected network is directed to a malware site the browser will time out rather than actually deliver anything - and the network administrator will get a report the next day to show what happened so a virus scan can be performed to verify that the user's computer remained clean.