@Alanrf, come on, do I need to explain?
Have a look at the Windows Defender agents. That is a nicely setup list of vulnarable points to monitor. My ideal Avast standard module would have those options (now it only has on exection and read and write check). Checking every execution is not a sophisticated way of dealing with the blacklist.
When a programs registers itself, makes permanent changes on Vista/Windows 7 virtualised areas (file + reg), loads a driver, accesses disk, keyboard, memory directly or tries to intrude a kernel object, I would like Avast to check its black list data base. I would also like to tell the behavior 'monitor' to apply different sensitivity levels for different age patterns (like new programs < 1 day = high, between a day and a two weeks = medium, older than two weeks = low)
When malware behaviour patterns are recoginised, profile the executable (when it is not in the black list) and send it to Avast server for analysis. This to shorten the time between launch of zero-day malware and first recognistion of it in the wild.
Getting earlier malware samples from around the world, increases the effectivity of Avast, reduces time Avast professionals are now scanning for it and reduces the time between malware launch and recognition.
Regards Kees (by the way the same one as from wilders)