How many encrypted files does a system normally have? Could you just scan for encrypted files and then you would have a list of files to analyze. You could even quarantine them and make a decision later. This should at least help control the use of them in an attack. Ultimately it seems we need the OS core to be either invulernable or replaceable, so that attacks to it can be stopped or a simply reboot press F4 reinstalls the core from a read only device. Basically sandboxing the core, so it can come up clean and allow tools to clean any applications or data. Do we need a hypervisor that runs multiple componets one focused just on security for example?