They make a tradeoff of detecting the suspicious code segments or behaviors while also allowing the users to do what they want with a system. Generally they err on the side of false positives, flagging too many things as viruses and allowing the user to override it if they are confident that the software is legitimate.

They do not just detect whole file hashes, but can also analyze parts of files (e.g. contents of archives, large code blocks) or behavior. A very common false positive is in fact keyloggers, or e.g. cracking software that modifies registry keys in an unusual way to activate pirated software.

AVs do indeed do a better job on more commonly found things, but they’re not limited to some common set of files – they can stop entire categories of exploit chains, or large virus families with only minor changes from each other. They’re never 100%, but they work for most people most of the time.

There are two general way of detecting a virus, signature, which you hint at check the hash against a database. This works well against known virus, and it is why you need to keep updating the virus database.

The second is behavioral, is a program doing something it shouldn’t? This is much harder to do well, is the backup program uploading files it’s supposed to or has it been hijacked?! While difficult we are starting to see more and more systems use this in addition to signature based detection.

> Do AVs actually do a good job at keeping your computers safe

Yes, modern up to date AV software is really good at what it does. It of course is never 100%.

It is always hard to protect against the unknown or user actions.

There’s a technical word called a sandbox. Imagine you are worried a kid is gonna shit on the beach. So you make a sandbox on the beach, the “kid” (virus) sees the “sand” (fake computer) And violently shits. You notixe the shit, quarantine the kid, and wipe the sandbox clean. No shit on the beach.