I found this question which expalins a little in detail of how Anti-Virus softwares work exactly. But I just had a client ask me this, and I really couldn't give him a good, simple, easy to understand answer. Best thing I could come up with was that each virus has a specific "fingerprint" and the software scans in known infected areas for them.
How do I explain this in a simple easy to understand fashion?
Best Answer
Detection mechanism, or how they on a deeper level?
When people say to me about how did malware get on their machine, and why is it not always possible to remove once it is on the system, and pretty much anything to do with malware I always answer with a combination/similar to this metaphor:
(And when I write it down, I must sound a bit like an idiot, but I hope you like it!)
Imagine your house is the computer, an anti virus program is several different security mechanisms.
Download/New File creation:
Imagine a bouncer on your front door - anyone coming in to the house (files coming in to your machine) go through him and he checks that they are clean*. If he finds something bad, he usually gives you the option of what to do.
Active Scanner
Imagine an internal security team watching everyone (active processes) in your house, any object (file) that they touch gets looked at to make sure they are clean*
Passive/Manual Scan
When there is nothing else to do, or you choose, you can have the security team check every object in the house, just to make sure they are clean against the latest threats.
Rootkits / once infected
Whilst your home security will always do its best, nothing is 100% effective. Once someone is in the house, if they were not stopped, they can do whatever they want. Whilst it is possible to clean up after them, and in most cases, undo all the damage... they could of left their own security team behind that interferes with your own.
`* As Randolph said in his answer typically it is a mix of fingerprint and Heuristics)
I can't seem to find it, but Microsoft used to have an API document about creating AV software, I can only find a link to the MS Office/IE API guide. I am guessing that due to fake AV/Root kits, they have removed this information.
(Also, Symantec have an interesting article for further reading)
Edit - Just found an intersting Stack Overflow Question... How does a Windows antivirus hook into the file access process?