I have a VM running on Debian. Considering security, does it make sense to install antivirus/security software on it?
I know Google recommends ClamAV for the scanning of files uploaded to Google Cloud Storage. But I don't find anywhere about malware scans or antivirus on virtual machines.
This is the same for SQL instances in Cloud SQL. Is it recommended and/or possible to add additional security to detect malware?
It depends on what that VM is going to do. Does this machine really receive external files that are going to be kept in the VM?. if so you may need an antivirus installed in the VM.
If this VM has your own software, your security could be the firewalls, Security Command Center, and Shielded VMs. If your VM is serving web apps, you could look for other Googles security tools like Cloud Armor.
For Cloud SQL instances, as they are a managed service, Google is responsible for security at OS and DB software levels. Although data access security is the customer's responsibility.