Proactive security is not only impractical, but impossible. The two ways of limiting attacks by viruses are by either detecting code which is malicious, or by hooking specific routines in the operating system / interrupt services to protect against malicious software.

In case A) detection is bound to fail due to the ease of obfuscation of code. As an example, I'll point you to http://aconole.brad-x.com/xmas.c which was my first attempt at obfuscating code. For the curious, it's just ascii art. For the untrusting, go ahead and compile it, then throw nm, ldd, objdump, strings and gdb at it. It's not malicious.

In case B) while this may work, there are again, always ways around specific system calls. To guard every system call is so much work that it's impractical for end users, applications developers, and AV writers. Also, think about what kinds of control mechanisms would need to be in place for 100% effectiveness. Palladium anyone? You'd kill opensource developers in a heartbeat.

As far as I'm concerned, let AV companies be playing the catchup game. In the mean time, I won't be an idiot who runs every binary thrown at me without first investigating it. Even then, I'll make sure to use a chroot jail, on a honey pot / test machine.