Blocking unexpected operations requires a heuristic baseline to accurately define what is expected. Once an expected set of operations is defined, a heuristic intrusion prevention system can halt unexpected operations and inform the user of the anomaly. This can make for a very nice rootkit detector, but its usefulness as a prevention tool is questionable. Heuristic prevention is very similar to closing the barn door after the horses have run away. It simply does not provide a viable solution to the problem.