It might be helpful if you could expand a bit on what you're trying to accomplish with an antivirus rule.
Assuming you're looking for correlation rules, know that it's pretty rare in McAfee ESM to build rules that are tied directly to specific vendors. Our SIEM provides a feature called Normalization, which allows you to easily build powerful rules that are generic in nature.
All events are normalized by McAfee ESM into a fixed set of categories. For example, any events related to viruses, trojans, etc. would be normalized as "malware", regardless of which vendor they came from. Normalization is very useful in building alarms, reports, filters, etc. It allows you to design these types of content with a simple filter, rather than requiring a separate rule to bring events from different vendors together.