A basic explanation of how Anti-Virus really works
Generally, the Viruses Enters our System:
Running an infected file from removable medias like floppy disk, CD or other vulnerable medium.
When Opening a web age which contains malicious code.
Opening an infected file sent over P2P Network.
When we open un-scanned attachments in e-mail our messages.
The Antivirus Software constantly checks and monitors our system, when it detects an infected file, or when it sees suspicious activity; it uses the most common 3 methods to identify the virus.
Just like cops trace patterns in crimes back to a criminal, the Anti-virus software reverse engineer a virus to find the signature it leaves. This signature is added to the database, which when the anti-virus performs a virus scan, each file is scanned for matches with any of the virus signatures.
The Sandbox is a method, which emulates an OS. The suspected executable file is run within the confines of a sandbox, and then the sandbox is examined to see what changes were made. These changes are used to determine which virus infected the file.
In this method, the anti-virus analyses a program for seemingly malicious behavior. Heuristic is effective against undocumented new viruses.
After the Virus is found, Antivirus software removes the infected files by:
Removal of the Virus
First the anti-virus tries to remove the viral code from the file. It is the best method and no harm is made to the infected file or the system.
Quarantine of the Infected file
The Anti-virus tries to make the file inaccessible to other programs, by moving the infected file to unreachable location in the system, without deleting it.
Deleting the Infected file
The Anti-virus deletes the file if the virus cannot be safely removed from the infected file.
Physical removal of infected file
If the infected file is in use by the Operating system, the anti-virus asks the user to delete the file and replace the file manually from a clean backup.
If the virus has changed the registry and the anti-virus can't reverse the changes. The user is directed by the anti-virus to the anti-virus software's website to get an online help on what registry keys to be change or delete.
If all the methods fails to remove the virus or the infected file is critical, the anti-virus boots through the secondary OS to access files being used by the infected Operating System to remove the infected file.