You are considering installing Anti-Virus (AV) software in an IntelliVM in Malware Analysis Appliance (MAA).
Symantec recommends not installing AV solutions in iVM profiles that will be used for the majority of samples or automatic processing (Tasks created by the Content Analysis System (CA) and Symantec Data Center Security: Server Advanced SA appliances).
While it is possible to install a client anti-virus (AV) solution inside an IntelliVM (iVM), there are multiple reasons this is not recommended:
When the iVM starts, the update mechanism of the AV solution tries to contact the Update Servers during the time of analysis. The resulting network traffic may create additional events in the analysis process and create unwanted and unnecessary network traffic repeatedly. This leads to a lot of unnecessary change events that will have to be acknowledged and handled.
The filtering/detection of known bad files should be done by the aforementioned appliances, not the iVMs. This will allow the MAA to focus on the detection of unknown malicious files.
When prospectively installing AV solutions to monitor if malware attacks said AV programs, be aware of the fact that some Malware will simply not execute if AV tools are running. Both updates and on access scanning components of AV programs need to be deactivated.
Additionally firewall, registry protection and HIPS components that come with some AV suites should be disabled.