How do I explain how Anti-Virus protection works to a non-Super User?
Detection mechanism, or how they on a deeper level?
When people say to me about how did malware get on their machine, and why is it not always possible to remove once it is on the system, and pretty much anything to do with malware I always answer with a combination/similar to this metaphor:
(And when I write it down, I must sound a bit like an idiot, but I hope you like it!)
Imagine your house is the computer, an anti virus program is several different security mechanisms.
Download/New File creation:
Imagine a bouncer on your front door - anyone coming in to the house (files coming in to your machine) go through him and he checks that they are clean*. If he finds something bad, he usually gives you the option of what to do.
Active Scanner
Imagine an internal security team watching everyone (active processes) in your house, any object (file) that they touch gets looked at to make sure they are clean*
Passive/Manual Scan
When there is nothing else to do, or you choose, you can have the security team check every object in the house, just to make sure they are clean against the latest threats.
Rootkits / once infected
Whilst your home security will always do its best, nothing is 100% effective. Once someone is in the house, if they were not stopped, they can do whatever they want. Whilst it is possible to clean up after them, and in most cases, undo all the damage... they could of left their own security team behind that interferes with your own.
`* As Randolph said in his answer typically it is a mix of fingerprint and Heuristics)
I can't seem to find it, but Microsoft used to have an API document about creating AV software, I can only find a link to the MS Office/IE API guide. I am guessing that due to fake AV/Root kits, they have removed this information.
(Also, Symantec have an interesting article for further reading)
Edit - Just found an intersting Stack Overflow Question... How does a Windows antivirus hook into the file access process?
They operate on several levels, including:
The fingerprint definition, as you stated, which checks for activity or file signatures that match a database
Suspicious behaviour, for example, the boot sector is modified by something that isn't recognised, or memory is overwritten by a process that shouldn't have access
Rootkit detection, which requires the AV to run almost as a virus itself (* this is why AVG does not like ComboFix, for instance - it does things that are indistinguishable from virus behaviour), in that it has to hide itself from the rootkit.
This is certainly not a complete list, and I welcome edits to the answer.