If the malicious code makes it past the firewall and past the IDS to your local computer, it would be left up to the anti-virus software to detect it and protect your system. Typical anti-virus software works in a similar manner to the IDS signatures. Each time a new virus is discovered its characteristics (subject line, message body, name of attached file(s), size of email or attached file(s)- anything that makes it unique and that is consistent) are catalogued and added to the list of known viruses. The software scans the local computer files, incoming emails and Internet traffic for signs of malicious code. While hacking and viruses are two different attacks that may occur on your system, many anti-virus software packages are set up to detect or prevent known security attacks, backdoors and Trojan horse programs that might be placed on your computer by a hacker.
These are just a small sampling of the layers available to defend your network. For more complicated or larger networks it is prudent to set up multiple firewalls and create a DMZ (demilitarized zone) to segment certain types of traffic that may need less restricted access to the public Internet from your internal systems. No matter how you choose to protect your network, it is important not to put all of your eggs in one basket, or to buy all of your eggs from the same chicken.
