I am reminded of a situation where sales and marketing was supposed to carry out virus scans before they installed our product. They had previously been using an inferior product and I mandated that they using a more accurate product. At one point a machine was brought in as a problem. First step in my process was to scan the machine, and, sure enough, it was infected.
"Did you scan it?"
"Did you use the right scanner?"
"Well, no, we used the old one."
"Why did you use the old scanner, when I've specified that you have to use the new one?"
"Well, when we use the one you told us to, it finds viruses ..."
Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413
This message may or may not be governed by the terms of http://www.noticebored.com/html/cisspforumfaq.html#Friday or https://blogs.securiteam.com/index.php/archives/1468
Don't know what to say other than its always a good idea to scan with two distinctly different A/V engines. When I have Trend Micro installed I use F-Secure or Symantec or McAffee or whomever as a separate control. Your controls were bypassed because you made a suggestion not a policy from the get go. This needs to be a policy level argument otherwise your end-user simply made a excuse for you to choke. Well... someone is going to choke on this, might as well be the end-user.
Something similar happened to me here where I had someone bypass the A/V by deleting the .exe on a machine more than sufficiently protected from 3rd party media, booting or software load. No, my person injected code into the .exe to destroy it. Smart. So smart that I wrote a policy indicating my displeasure with circumventing security controls.