You have said that when an outbound firewall stops something it is already too late. But don’t you think outbound firewall might stop a key logger from at least sending logs to an email or remote computer? Or would it not?
A firewall with outbound detection can be of use, but you’ve captured my thoughts already: if it detects something, in a way it’s already too late: your machine is infected.
Let’s review what outbound firewalls are, why I rarely recommend them, and perhaps why your key logger wasn’t detected.