Monitoring programs are active tools for the real-time detection of viruses and Trojan horses. These tools are intended to intervene or sound an alarm every time a software package performs some suspicious action considered to be virus-like or otherwise malicious behavior. However, since a virus is a code stream, there is a very real possibility that legitimate programs will perform the same actions, causing the alarms to sound.
The designer of such a system begins with a model of ``malicious'' behavior, then builds modules which intercept and halt attempts to perform those actions. Those modules operate as a part of the operating system.