This sounds uselessly crippled, as it's not going to catch malware that doesn't drop anything to disk, or that adequately cleans up after itself if it does.
I would assume they could also dump memory, i.e. `/dev/mem`. Agreed they would need to also do frequent memory snapshots, but lots of malware will also run in the background waiting indefinitely, and often as the same name as common Linux processes but different hashes.