Antivirus applications work by comparing files to a known signature database. So if a file has the same code string as one that was reported as a virus, then that file is shown to be a virus. That is a typical scenario of false positives. However, if you take a known virus and you modify the signature, then the antivirus no longer views it as a threat; or does it? Often end users are only aware of antivirus applications as signature-based, but there are other types out there. Examples could include behavior-based antivirus applications, where the software looks at behavior or actions instead of signatures. In this type of example, the antivirus software will look for a predetermined list of actions that have been flagged as malicious behaviors.