It's never too late. That's why tools like OSArmor and SpyShelter exist, to block malware from achieving their goals, even if they have already managed to load. BTW, if you simply block these LOLBins from connectiong out, I assume they can't be used for downloading malware. Unless they manage to bypass the firewall via code injection for example.