The enterprise is not so large as to be afraid of a virus attack, but still.

Oh well.
Imagine that you have a ransomware virus out there.
There are precedents - some enterprises go bankrupt after this.
What is needed is not an antivirus, but a policy (an antivirus can be part of it).
Politics means uniform requirements - no admin rights for ordinary users, no flash drives, etc.

Do you need a paid antivirus for production somewhere on 15-20 computers?

Depends on many factors.
As a rule, the built-in windows is enough - for free, it provides basic protection, and is very unassuming in terms of resources.
All other protection is done by firewall settings, resource access permissions, and application launch policies. It works much more reliably than antivirus, and consumes almost no resources.
In some cases, in a high-risk area, an antivirus operating in full protection mode may be required - but you need to understand that in this case this is a huge waste of system resources, and extremely inconvenient work.
There may also be other reasons for installing an antivirus, for example, as Vladimir Mukovoz pointed out - storage of PD.

There is a State Register of Certified Information Security Tools N ROSS RU.0001.01BI00, it contains a list of software that is certified for this. So, on those computers where personal data is stored, it is almost mandatory to have certified means of protection. You follow the link, type in the antivirus in the search bar and see what is certified.
fstec.ru/tekhnicheskaya-zashchita-informatsii/doku...
To be honest, the topic is confused and this certification infuriates and in general everything is not completely clear. I would be grateful if someone knows more information to comment on my answer.

Previously (long ago), when dealing with Win, I usually did this: I had Norton Antiv, which I liked because it did not load the system. I paid for updates for a year, then not for half a year, because it continued to work, then renewed it again. Today, as I understand it, the antivirus brazenly just stops working. (I honestly don’t know, I’ve been sitting on Linux and Mac for a long time).
Now, when I have to help with viruses, I download a fresh iso from Dr.Web Cure It! I put it on a flash drive and check. Perhaps, as Artem writes , you need to set everything up properly, install a free monitoring, and sometimes check with the same "Web" - it has never let me down in matters of search and treatment, especially since booting from a USB flash drive and treating is preferable IMHO .

Antivirus is not a panacea. A check on the same Virustotal shows that paid solutions do not always identify threats that can be stopped by some free product.
IMHO,
- usually on production computers, Internet access and reading from removable media is not necessary; excess can be turned off;
- the update can be configured through local resources and WSUS, it will help patch pop-up vulnerabilities;
- "Windows Defender", built into all modern versions of Windows, is not much worse than popular antiviruses;
- as written above, users usually do not need admin rights;
- disable unnecessary services that accept network connections, and standard share;
- firewall, the same "Windows Firewall";
-- and the probability of infection is reduced almost the same as when using a paid antivirus.

Antivirus cannot be the only means of protection. There should be an anti-virus, but the actual protection of the infrastructure includes a whole range of measures, both technical and organizational.