Modern AV use specific API functions provided by modern OSs to intercept the datastream they need to scan. For example, to perform on-access-scans of the file system, AVs install a
File System Filter. Several File System Filters can be installed at once. The OS knows about these filters and manages them, there are no "hooking" conflicts.
I explained this in more detail in this blogpost:
Malicious Cryptography « Didier Stevens
File System Filters have an "altitude", this essentially dictates which filter gets the data first as it goes up and down the driver stack. So if you install 2 AVs that use a File System Filter, they will work together without problem.
However, because of the difference in altitude (Microsoft assigns altitudes upon request by the developers),
one of the filters will see the data first and thus act first (for example delete the virus). The other filter, which comes second, will not see the data in that case. But if the first filter misses a virus (e.g. because it is not in its signature database), the second filter will see it and can act.
There are other ways modern AV products use to perform on-access-scan. For example, many AVs will scan VBScript and JavaScript scripts prior to execution. I explained in this blogpost how they do this:
Quickpost: Scanning Scripts « Didier Stevens
This system too can work fine with 2 AVs, but again,
one of the proxies will be the first.
From experience, I know AV vendors are very careful in the design of their installation products. They usually manage installing the filters I describe above without conflicts.
But it is true that the uninstaller is sometimes less well designed. I can see, for example, how sloppy uninstallment of the script-scan component
would break the chain and disable scripting altogether.
From a performance point of view, if you have a modern multi-processor/multi-core machine, running 2 AVs will not significantly slow down your machine (assuming there are no conflicts).
One reason not to install 2 AVs, is that they might generate false positives on each others artifacts. For example, AV 1 might erroneously detect a virus, while what it is actually seeing is not a real virus, but the file with the signature database of the AV 2. Or AV 2 might have quarantined a file, and AV 1 picks up on this quarantined file. This is not a real false positive, but it's neither a real true positive... You don't need to be alerted twice about the same file.
Another reason against running 2 AVs is vendor support. Most vendors will not provide you with support if you are running their product concurrently with another AV product.
