Either one should work.
Actually, the two work on different aspects of botnets.
The botnet C&C IP address blacklist is distributed and updated via the AV engine. This is a simple but effective address filter with near to no impact on CPU.
The AppCtrl signature checks for botnet activity which is not necessarily traffic to the C&C servers.
As such, CPU or CP load is a bit higher.
Both methods should be used at any installation as they complement each other.
"Kernel panic: Aiee, killing interrupt handler!"