Answer: Good definitions are crafted so that are intended to detect not only all existing versions seen but also allows room for change and file characteristic changes so that future versions of the malware family can be caught with the same definition.
Good definitions will go on killing items in the wild well past the date the initial zero-day came out (the one that caused the need for the definition in the first place).
This is why brand new generations of malware drop and they are detected by a few security guys. This is also why some people have huge #'s of FP's -- because they allow so much room for flexibility to catch future malware - that they accidentally kill off legit files in the process.
Well, ok, that makes sense; I thought the OP was trying to say that AV provides protection against brand new zero-day exploits which seems like wishful thinking.
No, I meant basically what jgmmo said, the AV scanners pick up a lot more than the virus they were written to prevent. Anything that triggers virus-like behavior will let you know you're infected (might not be able to clean it though). That's one of the points made in the article about false positives.
