I've seen orgs get through soc2 and pci-dss without kernel anti virus.

It's all about compensating controls.

Alas in the world of B2B, contracts from larger companies nearly always come with lists of specific requirements for security controls that must be implemented, which nearly always include requiring anti-virus.

It just not as simple as commenters on this thread wish!

The contracts are rarely specifying stuff like antivirus explicitly, but instead compliance with one or more of the security standards like PCI DSS. Those say you have to use antivirus, but they all have an escape hatch called a "compensating control" which is basically "we solved the problem this is trying to solve this other way that's more conducive to our overall security posture, and got the auditor to agree with us".

My source: I review a lot of contracts. It's very common for things to be explicitly required.

Yes you can go back and forth and argue the toss, but it pushes up the cost of the sale and forces your customer to navigate a significant amount of bureaucracy to get a contract agreed. Or you could just run AV like they asked you to...

Wait, I thought in this case we are the customer!? Okay what kind of contracts are we talking about? :D

Can you propose an example of a compensating control for an "antivirus" that had a chance to pass? Would you propose something like custom SELinux/Apparmor setup + maybe auditd with alerting? Or some Windows equivalent of those.

compensating controls ftw. the spirit of the law vs the letter of the law. our system was more secure with the compensating controls, vs the prescribed design. this meant no having to rotate passwords because fuck that noise.

You should grab the folks who've done it and start authoring a book. You've got a 100x audience increase today!

Same, I’ve been in an org that got PCI-DSS level 1 without antivirus beyond Windows Defender or any invasive systems to restrict application installation.

It did involve a lot of documentation of inter-machine security controls, network access restriction and a penetration test by an offensive security company starting with a machine inside the network, but it can be done! Also in my opinion it gives you a more genuinely secure environment.

You should explain how they do it.

If for instance they're remoting into a restricted VM all day, that's a different set of tradeoffs many might not be happy with.

Nothing like that, basically what sitharus said above you. Extra network level, zero trust to minimize lateral movement and giving the pen testers a leg up by letting them start already within the corporate network.

corporate IT heads need to roll for that to ever change.

The romans used to make the architects stand under the arches they built, to enforce the idea of consequences for bad work.

Corporate ITs need to stop mandating security malware tools on their systems just because someone showed them some nice powerpoints.

Yeah, my work requires me to run an antivirus kernel module on my Ubuntu laptop.

Corporate IT is always going to lean towards the "safe" compliance option.