How does the website antivirus work?

The website antivirus works on the basis of the so-called “cloud” technology. The entire antivirus base and all the program files are stored on the PHP Keeper server. The user has only to create an account on www.phpkeeper.com and download the small file “keeper.php” to his/her webserver. Then the user has to run the file “keeper.php” on his/her server, which will download an initial encrypted program code with a one-time password from our server. This program code is run to check a balance of the user’s personal account and download a file scanning module and a primary set of signatures*. If a file contains one of the signatures, it points to a group (type) of threats. If the file is found to have any primary signature features, it is rechecked for the second-level signatures forming a subgroup for one detected primary signature. Then the third-level signatures, which point to a subsubgroup of threats and are determined for one second-level signature, are downloaded (if the second-level signature is detected), and the file is checked again. If the third-level signature is detected, a certain group of virus bodies is downloaded from a cloud, and the file is checked for the fourth time. If a certain known virus body is detected, the file is cured. If the signatures pointing to a virus are detected, the file is marked as “potentially dangerous” and can be checked manually or sent to us for further analysis. This describes the organization of a distributive (self-extracting) scanning circuit, which makes it possible to quickly check each file for one of tens of thousands of viruses stored in our base. This algorithm is known as “heuristic analysis” or “on-the-fly scanning” in other antiviruses. Of course, the user doesn’t take any part in this “magic” process, he/she has just to run the file “keeper.php” on his/her server, and that’s all!
* signature is a feature or a set of features, which makes it possible to determine a rogue code searched for by a scanner in files.