Well if you keep expanding your scope of paranoia, I am afraid nothing but madness or ignorance to these things can help!
Moreover, the chances of such encounters are very less for home users and minimizing your systems usability for that doesn't seem to be a good idea.
When we talked about KIS monitoring (or not) trusted programs, it does, but within its limitations and threshold.
Supply chain attacks are probably the most deceptive and there's little you can do to reduce the chances
- having firewall with reverse DNS lookup. Block any unknown IP or host connections for most programs (ESET, Sphinx FW control has it). I usually allow program connections only for the app-related hostname. You could also whitelist a subnet of IP addresses
- in the rare circumstance that even the server of program X is infected, then there's no benefit of blocking other domains in that very case, as you're allowing connection to the compromised domain of the program X
- the compromised X might not itself connect to a malicious domain but modify system or browser processes for example. In that case, if you've manually hardened against such an attack vector or if your AV could detect this hollowing/injection, perhaps you could block the attack at a point. There are other scenarios we could keep talking about
- one can wait for a while before installing newer versions of programs (there will be a counter debate for sure that you'll be delaying security updates, hence not recommended). But I've seen this talk on forums. Some compromises get revealed in few weeks or months
- using a DNS like Quad9 that gathers shared intelligence from 19 global providers like IBM X-force. If these systems have identified any malicious domains used in such attacks (like Cisco had identified in CCleaner), you might benefit from it
- some people use portable version of apps and don't update often. This may reduce the likelihood of an SCA ...
If you're a
corporate, one of the best things to do among the recommended set of protocols is to evaulate security and privacy policy of 3rd party software providers you use and only trust if deemed secure and reliable by audit. Good supplier relation counts here.
The software SCA are often an indirect way to target entities
and I wonder at what level of interest the data of average users like us can be for any such attacker group. Take CCleaner for eg. their later stages were used to narrow down on various corporations.
There are chances that good Restriction Policies would block the unidentified/non-whitelisted new files spawned by the compromised program. If not, ....
other hardening policies like vlocking vulnerable process sequences unless whitelisted, audit policies and post-breach analysis tools their
IT teams use (the good ones) can help them identify early Indicators of Compromise and attempt remediation.
However still if the scattered pieces of puzzle don't make it to one, anyways the entity gets screwed.
Talking about this paranoia, there's also
hardware supply chain attack beside the software and firmware ones.
WRT the likes of OSArmor, I check what things get blocked (happens very less often) when installing my go-to apps and next time they install, if something new is blocked, I might as well have a look at it. For most of the times, if your reputed program fails to carry out a basic function (or if I know that the sequence is safe), then only I would unblock what got blocked. Otherwise the block is not to be bothered about.
Among other fortifications, one thing you could do if you really want such control is to enable
Interactive Mode in Kaspersky. And you'll be happily overwhelmed by the number of informative alerts you get for all actions performed on your system