ooo Pretty big job, gonna cost ya.
Two thoughts, sorry if I'm repeating someone....
1. Re one of the paragraphs, writing a registry key is going to require significant code work - yes that is what the text suggested, give me a break, a lot of software that is written by what I consider poor practise writes hundreds if not thousands of registry entries apparently for random fun and leave it behind when it is removed. Writing a single key is a very basic call. (I do realise re-writing your AV kernel driver thingie - now that might be hard).
2. The alternative to a single key is a folder where each vendor software has to put in a "i'm good" notification and if everyone is good, updates continue.
Having said that, with this registry thing, malware has a very simple way to switch off updates at will, simpler than borking windows updates - which lets face it Microsoft bork their own update engine regularly enough.
So perhaps what we should have is a better way to register applications existence on the machine in a protected place such that they can be checked against an online 'master' record of goodness maintained by vendors / Microsoft. Heap of missed opportunities there with the whole 'certified' application certificates etc.
This is turning into a bigger poo pile every day as we better understand the consequences!