Virus software has a few methods to detect malicious code (virus, Trojan, stealth, ghost). The first thing to understand is most networks use either TCP/IP RFC 793 or IPX. Both are built with layers (OSI Model) to provide communication across cables, airwaves, etc. These layers break down how the communication will take part between computers. Examples are games versus database access.
Virus signatures are patterns that are matched by the antivirus software within these communication layers. Most viruses do have patterns, but some don't. That is when the intelligent engine in the antivirus software takes over. The OSI model has rules applied through RFC793 (www.rfc.net), and when these rules are broken the antivirus program can sense or detect and report.
Most antivirus software will offer to delete or contain (quarantine) the malicious code. Remember, the antivirus program runs in the random access memory (RAM or memory) of a computer. All communication from that computer through TCP/IP or IPX is programmed to be monitored by the antivirus software, thus when malicious code is detected it is stopped before it can damage the computer.
See www.symantec.com or www.mcafee.com for specific product features.
For more information on this topic, visit these other SearchSecurity resources:
Best Web Links: Malware
News & Analysis: Target: Antivirus software
Scheier's Security Product Roundup: Antivirus tools unify and conquer
This was first published in April 2002