Some might think it is joke, but it is dead serious:

https://googleprojectzero.blogspot.com/2016/06/how-to-compro...

Unfortunately running an anti-virus is an overly broad requirement in some industries to pass certifications and audits. It's one of the cases where "security" mandates and requirements leads to insecurity.

Insurance company made us all install anti virus software

They didn't make you do anything. They either refused to insure you or would raise your rate if you didn't.

made, required, mandated...I don't see how this makes a siginificant difference.

No they didn't hold a gun to their heads, pretty sure. I think it's pretty clear they made it a condition of not dropping them or not raising their premiums.

Eh. Holding a gun to your head doesn't _make_ you do anything.

You either do what they want or die. Your choice.

I have found it best to treat Anti-virus products like mal-ware themselves. They only get to live inside a VM for the sole purpose of antivirus scanning. This VM has access to several different antivirus products, and I use a battery of them (after updating signatures) to scan any file that I am leery of trusting. I delete the VM afterwards.

This is not impractical for my situation, because I do not have a large throughput of dubious files, perhaps a couple every 6 months or so.

There's also VirusTotal.