Ah yes, the pleasures of getting ISO certification.

I've seen clamav used for PCI compliance too. Probably a lot of certifications that have some "security" component.

SOC-2 requires that you run an antivirus too.

No, it doesn't.

It's very important to distinguish between what is actually required for compliance, and what is being done in the name of compliance, and make sure that "compliance" isn't just abused to shut down discussions easily.

SOC2 does not have any criteria specifically requiring antivirus software.

The actual requirements are more generic; for example CC6.8: "controls to prevent or detect and act upon the introduction of unauthorized or malicious software". That doesn't even sound like an unreasonable requirement to me.

If your company reads "no computer without antivirus" into that, that's on your company (and what they put in their SOC2 Type 1). Of course AV manufacturers will gladly agree that it should be read that way, and auditors will be more familiar with that approach. But if you can achieve the same in a different way, that's ok too - you just have to write it down that way. And the auditors can be reasoned with - their focus is anyway more to verify that you can show evidence (e.g. screenshots) of actually doing what you wrote down.

Has it caught anything?

No, at least not on the desktop machines.

On servers, it picked up a few exploitable (but uninstalled) packages from our Debian mirror, and a few EICAR files. So, no actual threat averted.

We definitely have... but they were windows viruses / malware. Still, glad to see it was flagging something.