Actually there is a part that is not encrypted, otherwise the program cannot run. This is usually named stub and AV can either just add a signature that matches that stub as well as analyse the use of certain system calls that are required in order to be able to decrypt and run the .text segment. Furthermore, some techniques to run the decrypted code (to give control back to the original program) are commonly used by virus and therefore are well-known to AV SW.
You can take a look to:
To check the basics: What is that stub about? or what syscalls are required and why? These posts are GNU/Linux oriented but the concepts are the same for all OSes… You just have to use different syscalls and deal with different file formats.