As with most phishing attempts, there doesn't have to be any virus on the site where you're invited to click.

The malware is on the site you click to. A link might appear at mudcat from some malicious spam, but the number one place stuff like this is found is currently FaceBook, where people think something sounds like a great deal so they post it to all their friends. There are far more stupid people than you can possibly defend yourself from, except by "eternal vigilance," and unfortunately we're not all Marine vets.

An AV that scans the site you're on might not be able to detect any threat, because there isn't any malware on the site you're visiting; so you'd have to rely on your AV to block what's there after you get there, somewhere else.

More advanced AV programs compile lists of known sites that do contain malware - or have recently distributed it, and can check the link, and warn if clicking it would take you to a questionable one; but since you can ignore the warning it still has to protect you at the link destination, if it can. Other advanced programs can quickly scan any site you arrive at, and warn you before you click something else.

Unfortunately, you're the boss, so if the site has disguised a download as something innocent (or even if it hasn't), if you click something that gives permission for any site to "run a program" on your computer, the AV has to let it run, because you told it to, even if what you clicked didn't tell you what was going to happen.

The only thing you can blame it on is the loose nut holding the mouse.

John