There are defences for this: If one controls/monitors for every app in system for network access, as soon as any unusually network access are triggered, it is investigated and block.
In my home windows setup, only windows defender, firefox and chrome are allowed out going internet access in regular base. Everything else are blocked.
Windows update are only allowed when I in the mood for it (~once a year). Anyone can do this easily by control srvhost.exe 's internet access with windows firewall app.
> If one controls/monitors for every app in system
Quis custodiet ipsos custodes? Who monitors the monitor?
What happens when it is compromised, loopholed through, gets its inputs tampered with, etc.? For a home setup and its threat model, this sounds a simple, workable plan. When you're dealing with attacks of the level of sophistication described in the OP, trusting trust [1] becomes complicated and difficult.
I think you mean "blocked, then investigated", which it sounds like you're doing. A company running a large variety of software - particularly third party - needs to have staffing sufficient to such investigations.
In my home windows setup, only windows defender, firefox and chrome are allowed out going internet access in regular base. Everything else are blocked.
Windows update are only allowed when I in the mood for it (~once a year). Anyone can do this easily by control srvhost.exe 's internet access with windows firewall app.