An anti-virus scanner uses two techniques to detect viruses: signatures and heuristic analysis. A virus signature is simply a binary pattern that is found in a virus-infected file. Using information in its virus definition (DAT) files, the scanner searches for those patterns. This approach cannot detect a new virus because its signature is not yet known. Therefore the technique known as heuristic analysis is employed to detect unknown viruses.
Programs that carry a virus often have distinctive features. They might attempt unprompted modification of files, invoke mail clients or use other means of self-propagation. The scanner analyzes the program code to detect these types of computer instructions. The scanner also searches for legitimate behavior, such as prompting the user before taking action, and so avoids raising false alarms.
In an attempt to avoid detection, some viruses are encrypted. Each computer instruction is simply a binary number, but the computer does not use all the possible numbers. By searching for unexpected numbers inside a program file, the scanner can detect an encrypted virus.
By using these techniques, the scanner can detect both known viruses, and many new viruses and variants.