Antivirus programs search a virus executable for a known piece of code or some other sort of signature that uniquely identifies it. Exactly how a virus is identified depends upon how the antivirus was made. The "signatures" or "definitions" you download just about every day is a database containing these identifications.
A virus isn't [I]known[/I] and removable until it has already been released, hit some computers, and either submitted to or caught by Antivirus companies who add an ID for the virus to their database and release an update. To combat new viruses that are unknown, what's called a heuristic scan may be performed.
A heuristic scan picks apart an executable and searches for patterns commonly found in viruses, such as disabling parts of Windows, raising a fake error when something is opened, etc. Most viruses (in this case I am talking about extremely common 'rouge antiviruses') are just cheap copies of earlier ones. Several are identical to one another other than a slightly different GUI, name, and possibly hiding techniques. You can see how this actually works well! If a program is flagged by heuristics it is usually flagged as "Suspicious" as the antivirus doesn't really know if it is a threat or not.
Anyway, It depends on exactly what you are doing in the background. If you're accessing the internet in any way, it'll probably respond by asking the user to allow the program through the firewall. (assuming the antivirus has one, it SHOULD if it's worth anything) ...