MD5 or signaure blocking equals to always being behind. Developers will always update their code, rendering your checksum only as relevant as the latest fingerprint you use. Also, consider performance impact: let's say you're blocking 50 applications with 10 MD5 checksums for each version it ever had. Every time an EXE launches on your system, it needs to be checked against 500 MD5 signatures just to be passed onto the "on-access scanner" for regular signature-based detection. Result is poor performance we all love so much.
Behavior detection is the route to go. Like with Ultrasurf thread last week, all Symantec has to do is
classify application properly based on its bahaviour and group known processes in that class. For example, you can have a class called "Unwanted Proxy Applications", where bad thinhs like Tor and Ultrasurf will reside, and, more importingly, new programs that have the same behavior will automatically be added to this class. Same would be done for "IP Scanners" where SuperScan, Angry IP Scanner, netcat and others would live.
Unfortunately, Symantec's behavior detection is pretty useless with TruScan, and this would have to be a superior behavioral engine to that of TruScan. Maybe in a future something like this would become available?