Traditional antivirus products and even application whitelisting products are completely blind to attacks that do not use malware. It is possible for an attacker to compromise a machine without ever writing a file to disk, or by abusing a legitimate system tool like PowerShell or WMI. It is also common for attackers to exploit a public-facing web server, and then use a web shell to move laterally in the environment.