Detecting high-density data payloads. If H > 7.5, the target is flagged as encrypted/packed malware.
Subscribing to OS kernel events. Instant reaction to file creation, modification, and execution.
Scanning active processes for shellcode injection and suspicious P/Invoke behavior.