I'm talking about a solution that leverages a vast online database of billions of files and behavioural data (not Panda).
When I execute a file on my machine, a classification is obtained from the cloud database. If the file is good, it will be allowed to do what it needs to do. If it's bad, it'll be cleaned-up. If it's unknown the file will be placed in 'monitor' mode.
While in monitor mode, the file is first executed in a sandbox (transparent to the end user and takes seconds) where heuristical analysis takes place and behaviour is monitored. If it exhibits malicious behaviour at this stage the file is cleaned-up.
If no further malicious behaviour is witnessed in the sandbox, the file while be allowed to execute, but will still be continuously monitored. If the file tries to replicate, I'm protected. If it tries to still my keys, grab my screen or any other information stealing techniques, I'm generically protected even if no security vendor on the planet has seen the virus before.
Once my AV vendor has identified that the file that executed on my machine is a virus, a bad classification is pushed down. When my system receives the bad classification, it reverses every single change that the virus made to my system because while the file was being monitored a local change journal was recorded on my system, resulting in a perfect clean-up.
I also have visibility of everything the virus did or tried to do to my system.
I appreciate that this method includes some heuristics, but I'm sure you'll agree its a lot more than that.
The AV client itself is half a megabyte and uses up no noticeable system resources. It can also run alongside other AV products.