Antivirus software checks files and emails, boot sectors (in order to detect boot viruses), but also the computer's RAM, removable media (USB sticks, CDs, DVDs, etc.), data that pass through any networks (including the internet), etc.
Various methods are possible:
- the main antivirus software on the market focuses on files and then compares the virus signature to the codes to be checked;
- the heuristic method is the most powerful method, tending to discover a malicious code by its behavior. It tries to detect it by analyzing the code of an unknown program. Sometimes false alerts can be caused;
- form analysis relies on filtering based between regexp or other rules, put in a junk file. The latter method can be very effective for email servers supporting postfix-type regexp since it does not rely on a signature file.
Antiviruses can scan the contents of a hard drive, but also the computer's RAM. For the most modern antiviruses, they act upstream of the machine by scanning file exchanges with the outside, both in downstream (download) and upstream (upload or download). Thus, emails are examined, but also files copied to or from removable media such as CD-ROMs, floppy disks, network connections, USB keys...