Well, basically it has a list of known malware/viral behavior and rates them accordingly. For example, if it were signed by a trusted company then it gives it a +10 rating. If it is able to monitor and log system activity, a -7 rating. If it controls other programs, -4 rating. Something like that.