Malware installs itself persistently to ensure it's automatically (re)executed. BlockBlock monitors common persistence locations and alerts whenever a persistent component is added.
Though BlockBlock is conceptually simple, it is a rather complex piece of software. BlockBlock is made up of three main components, a kernel extension, a user-mode daemon running as root, and a user-mode agent running as the logged-in user (there can be multiple such agents if BlockBlock is installed for several users on the same system).
Orion Malware Cleaner (OMC) - By Trident
The Necessity of Simulating the Full Malware Infection Chain for Security Suite Testing