Does anyone know what it actually does / how it works? Ideally I'd like a technical answer here. I presume it's something basic like checking for modified files (lololo) rather than something more effective like process scans, but you never know.

(No, I am not secretly some 1337 uberh4x0r coming to mass kill you, I'm just curious.)