This is considered fairly standard operation in the world of computer viruses as well. When a new virus is discovered in the wild (a term used to mean that a virus is active on the Internet at large) the antivirus vendors must first get a copy of the actual virus. They will break it down and determine how it works and how it replicates so that they can develop a means of detecting and blocking this new threat with their antivirus software.
The process takes time though. Depending on the impact of the threat, the virus may already have disabled a significant portion of the Internet before the antivirus vendors develop the “vaccine”. This was the case with the SQL Slammer worm in January of 2003. It spread around the world in under an hour and generated enough traffic to effectively shut down much of the Internet. It was hours later before the antivirus vendors began to release their updated virus files to detect the new threat.
The entire model of developing a signature for the new threat and adding it to the database of detected threats will eventually become too cumbersome in my opinion anyway. Currently the weekly SuperDAT update from McAfee, which includes both the updated virus database as well as an updated detection engine, is about 5Mb in size. New viruses are detected weekly and sometimes daily. Eventually this file may be 10Mb, 50Mb or 100Mb. Not only will it become too daunting for users to download each week, but it may significantly affect the performance of your computer if it has to verify all network traffic against this database.
This method also means that the security experts and antivirus vendors are always one step behind the malicious code writers. It is a reactionary model where nothing is done proactively. The virus writer gets the first move and if it’s a good one it can cause major damage before the antivirus community can develop an effective response.
Most antivirus software performs heuristic scanning as well which can detect some unknown threats. Heuristic scans attempt to detect virus or worm activity by comparing traffic against past virus-like activity and looking for behavior that is anomalous or out of the ordinary. Heuristic scanning is far from perfect though and doesn’t catch a lot of new viruses. Again, even heuristic scanning depends in part on what we already know about viruses and worms.