Given that the last few successful virus/worm threats attacked SMB/RPC, I believe in running AV on the SQL Server, while setting the AV software not to scan the appropriate file types SQL Server cares about. For instance, Conficker attacks SMB, and therefore, if your SQL Server is on the domain and talking to DCs and other systems (even app servers) using Windows authentication, accessible to most patch management software, remote management, etc., it's going to use those protocols. If you've got a 0-day, then the AV definition may be the only thing that catches and smacks down the virus/worm.
I'd rather take the small performance hit from a properly configured AV software then take the larger risk of the server compromise because someone brought in an infected USB drive, accessed the wrong site on the Internet before it could be properly categorized (especially normally legitimate sites like .edu ones which are often compromised because (a) they aren't being watched as carefully as a commercial site and (b) because of the fact that until reclassified the site is seen as legitimate by the web filtering software most organizations use), or brought in an infected laptop that was in standby or hibernation mode.
K. Brian Kelley