My experience of database servers in general, not only Oracle, is that they don't have an interactive AV on them. There is no point if they are in the background of your network. After all, if anything gets to them through your network, then it has passed your AV defences already, and a duplicate on the server won't detect it.
Where you need to be careful is with media and laptops. You need a strict and strong policy. Also, depending on your situation, it is a good idea to create sectors or sub-networks, so that segments that do not need to communicate with eachother cannot do so.
I am also used to servers being scanned remotely on a scheduled basis from a dedicated machine, but I guess that the motivation behind that was largely to save on licence fees :D
It does depend on the particular architeture. I have seen many cases where the web server acts as broker to request something and the database delivers it through a "window" with direct access to the client. Especially with gobs of data meant for public consumption on read only files.
LOL, I don't think I have heard that in a long time. :D