Looking to validate that your endpoints have some kind of antivirus program running? Try this really long BigFix Relevance Statement designed to detect many major antivirus programs like Microsoft Security Essentials, Symantec, Trend Micro, Spohos, CA eTrust, McAfee, and AVG

(if name of operating system contains “Win” then exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates” of native registry or exists service “MsMpSvc” else false)
OR
((if name of operating system contains “Win” then exists service “Norton AntiVirus Server” OR exists service “defwatch” OR exists service “Norton AntiVirus Client” OR exists service “Symantec AntiVirus Server” OR exists service “Symantec AntiVirus Client” OR exists service “Symantec AntiVirus” OR exists service “navapsvc” else false) or (if name of operating system = “Mac OS X” then exists application “Symantec AntiVirus.app” whose (string “CFBundleShortVersionString” of dictionary of file (it as string & “/Contents/Info.plist”) as version >= “10.2” as version ) else false))
OR
(if name of operating system contains “Win” then (exists key “HKEY_LOCAL_MACHINE\Software\TrendMicro\PC-cillinNTCorp” of registry OR exists key “HKEY_LOCAL_MACHINE\Software\TrendMicro\OfficeScanCorp” of registry) or (exists service “SpntSvc”) else false)
OR
((not exists key “HKLM\Software\Sophos\SAVService” of registry) and (exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SweepNT” of registry) OR (exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos-Sweep95” whose (exists value “DisplayName” whose (it as string contains “Sophos Anti-Virus” AND it as string contains “4.6”) of it) of registry) OR (exist values “DisplayVersion” of keys whose (exists value “DisplayName” whose (it = “Sophos Anti-Virus”) of it) of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\” of registry))
OR
(((exists key “HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrustITM\CurrentVersion” of it) of (if (version of client >= “6.0”) then (native registry) else (registry))) OR ((exists key “HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrustAntiVirus\CurrentVersion” of it OR exists key “HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\InoculateIT\6.0” of it) of (if (version of client >= “6.0”) then (native registry) else (registry))))
OR
((exists service whose (service name of it = “McAfee GroupShield”)) OR ((exists key “HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\VirusScan Engine\4.0.xx” of registry) OR (exists key “HKEY_LOCAL_MACHINE\Software\McAfee\AVEngine” of registry)) OR (exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\NetShield NT\CurrentVersion” of registry) OR (exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins” of registry))
OR
((exists service whose (service name of it = “AVG WatchDog”)) or (exists service whose (service name of it = “AVG E-mail Scanner”)) or (exists key “HKEY_LOCAL_MACHINE\Software\AVG” of registry))