One aspect of this is that recommending “anti-virus” to be on everything is a safe bet, for the auditor.
Security audits aren’t entirely about actual technical safety. Often they are also about limiting liability in case of a lawsuit.
Let’s say your company was hacked and a class action lawsuit was filed against you. Your specific liability can be mitigated based on how well you followed industry standards. Let’s say the auditors did not recommend AV on this server, so you don’t install it.
Your defense in this is that you followed the recommendations of a respected auditor and pass the buck so to speak. Incidentally, that’s the PRIMARY reason we use third party auditors. Note that shifting of liability is often written into the contract you sign with auditors: if you don’t follow their recommendations, it’s all on you.
Well, attorneys will then investigate the auditor as a possible co-defendant. In our hypothetical situation the fact that they did not recommend AV on a particular server will be seen as not being thorough. That alone would hurt them in the negotiations even if it had absolutely no bearing on the actual attack.
The only fiscally responsible thing for an auditing company to do is to have a standard recommendation for all servers regardless of actual attack surface. In this case, AV on everything. In other words they recommend a sledge hammer even when a scalpel is technically superior due to legal reasoning.
Does it make technical sense? Generally no as it usually increases risk. Does it makes sense to attorneys, a judge or even a jury? Absolutely, they are not technically competent and incapable of understanding the nuances. Which is why you need to comply.
@ewwhite recommended you speak with the auditor about this. I think that’s the wrong path. Instead you should speak with your company’s attorney to get their opinion on not following these requests.