I recently posted my "6-point list of security minimums" for the enterprise. That is, 6 things that may have been "would be nice" in the past but are now absolutely required as far as I'm concerned. Most sites do not do all 6, and I think it is time that such sites got with the program 'cause you are making the rest of us look bad.
I got a number of comments asking if I was serious about malware scanners on all computers.... did I really mean servers too?
Yes.
If the machine is a file server then the files being stored should be scanned. It prevents this server from being the unintentional transmitter of infected files. [As a bonus it is an interesting way to detect which users are not protecting themselves. Notice that a large fraction of the infected files are in a certain person's network home directory? Yeah, better check to see if they've disabled their malware detector.]
Web servers, email servers, and "shell servers" all have the same issue. One of my personal servers is a FreeBSD box that I permit friends to have shell accounts. I recently ran a popular commercial virus scanner on all the files. I found 3 files with viruses: One in my home directory (I had done a backup of a laptop to the server ages ago). Two in the home directory of users that were just as shocked as me. Fixing those infected files prevented those users from passing the malware along.
Server performance won't suffer very much. Modern malware scanners are much better behaved. Operating systems have more efficient hooks to let them do their work. Plus, the better vendors are trying to be the lightest burden on system resources. Competition will help that.
I also run a malware scanner on my personal Mac even though Macs are known to not have a lot of virus problems... at this time. Most of the infected files it has detected are Windows virii which wouldn't harm me but this is worth it because it means I haven't propagated the file to my Windows-using friends.
The problem, however, is that in this era of APT it has become very common to find malware written specifically to seek out a particular person or company. The anti-malware vendors are less likely to discover such junk, and if they do there isn't as much financial incentive for them to publish signatures for such things. However, doing this kind of scanning is still important just like people with strong teeth should still brush their teeth. It is good hygiene.
There are still threats from XSS, weak passwords, social engineering and so on and so on. However not doing these 6 basic things is irresponsible bordering on professional negligence.
Having recently spent a lot of time removing a virus that propagated through a windows network drive, I'm all for running anti-virus on servers! (I just wish our IT department felt the same way)