We have an AV client installed on each VM. This wastes a lot of I/Ops but it makes the auditors happy. Looking into a 'white list' based application so that only approved apps run. This should keep out the malware and zero day attacks but we have many boxes to 'tick' before the auditors sign off on the solution and not sure if it would stop Net-Worm.Win32.Kido.
if you do get local admin (or maybe poweruser) privileges, then you get an AV client (makes some interesting pool considerations but doable)
as much as possible, desktops are non-persistent (user data on CIFS shares, apps via ThinApp) so anything that does get through is short-lived
you could potentially even mix in something like DeepFreeze (although non-persistent desktops covers almost all of that)
Of course, how well this flies in each organization is another question. 😕
From an auditing perspective, while AV protects against a lot of threats it also doesn't protect against many threats (at least once you're into zero-day stuff and/or the theoretical side of it....<insert discussion around problems with signature-based protection here>).
It would be very fantastic if someone had quantifiable numbers on the impact of an AV client on VDI consolidation ratios though (i.e. got "xx" VDI VM's on an ESX host without <insert AV brand name here> but it dropped to "xx" VDI VM's once we added it in).