I was working on a cybersecurity incident with a customer. They're not PubSec, but their data is valuable. About half of their datacenter was airgapped, and they said the same, "we only use known-safe media, scan it daily, etc." Somehow a nasty bit of code was rampaging through their supposedly safe network, deleting random files, corrupting backups, the works!
Turns out their primary scanning utility doesn't do much more than a simple heuristics check against data being put on these trusted thumb drives, and someone neglected follow "clean source" principles, downloading what they thought was a driver for new hardware that turned out to be malicious code. Had they checksummed the driver data (there wasn't one), they would've known better.
Moral of the story: don't trust "scanners." Their heuristics scanner couldn't tell that the "driver" was really malicious code.
Most malicious data these days don't trip "malware" or "antivirus" scanners. Malware and antivirus are 20+ year old infection vectors. People still have a false sense of security from scanners like Norton, McAfee, AVG. They're functionally useless nowadays, and most of them are bloatware or worse.
Good point, and well stated. Thanks!