I was under the impression that realtime protection in AV programmes meant that a virus would be detected as soon as it entered your system. This is obviously not the case as I found one when I did a full scan. So what actually does realtime do?
Most AV software relies on a database of signatures of known viruses (although some also analyse the behaviour of programs for "virus-like" activity, with varying degrees of success). This is why you get frequent updates.
It's quite possible for a new virus to enter your system before it becomes widely known. If you then scan at a later date (after the new information has been disseminated) it's possible that the AV will identify a previously undetected infection.