for standardisation, we deploy the same AV product to all systems, including servers. So they get AS, just incase, handy when your manually chasing patches/updates from a problem server, last thing you want to do is visit a site with some dodgy trojan or something (not that AS's success rate is high). Its a risk, but with the the right server policy for telling it what not to scan, your servers will be fine, mine have for several years, but then again, i'm only running 12 of them with 2003/2000 Server.