Do I need antivirus, etc. on a virtual machine?

There aren't any reported cases of a breach wherein a vm which begins running malicious code is able to infect a host. However, theoretical concerns have been raised over this very issue. Worse, if a vm gets infected, it will likely end up running a bot that will scan your network (including possibly the host) and could easily discover a hole in your defenses.

So, even if you don't care much about the vm, it is highly advisable to engage in a rigorous strategy of protecting those machines with AV software and scheduled updates. It can be challenging if you don't turn the systems on that often. So, it's generally a good idea to schedule a time every few weeks that you turn on all vm/images and get them all up to date.

If you'd mention a particular virtual host vendor or package, more specific advice may be available as for how to go about developing your vm security protocol.