more on this.
Antivirus and antispyware scans rely mostly on signatures to detect known threats. Proactive threat scans use heuristics to detect unknown threats. Heuristic process scans analyze the behavior of an application or a process. The scan determines if the process exhibits characteristics of threats, such as Trojan horses, worms, or keyloggers. This type of protection is sometimes referred to as protection from zero-day attacks.
Auto-Protect also uses a type of heuristic called Bloodhound to detect suspicious behavior in files. Proactive threat scans detect suspicious behavior in active processes