Hey, you're the one who said you have no idea how to see a non-rootkit virus/trojan.
...and how does one use ps to detect malware? There's 272 processes running on my system right now. Ten years ago, when there were only 20, I knew what they all were. Now? No way in hell. So I don't even look at it anymore, and malware could just call itself "malware" in the process list and I'd never notice it.
However, even if it were still only 20 processes, here's some questions:
1. What prevents malware from choosing a legitimate-looking name. Like how in Windows there's a dozen "svchost" running, and so malware would be smart to simply name itself "svchost," as most people are unlikely to notice that there are now 7 of them when there should be only 6. On my system, malware could hide itself pretty well just by calling itself "xterm" as there's always at least a dozen of them in there.
2. What forces traditional viruses to show up? You know, the ones where they infect an ordinary program, thereby being executed every time that program is executed. Threads don't show up in the process list, so just infect a program and make it spawn a thread to run your malware, and now the CPU time even shows up in 'top' as being used by some legitimate application you've used for years and totally trust, even if it does occasionally do weird things like use a little more CPU time than you think it should be using.
However, this is all moot anyway. My problem with forcing people to run applications non-root is that it only makes sense if there's some root application that is able to detect malware. When you download Linux and install it, what do you get? You get a system that will prompt you for your fucking password all the time, but otherwise not complain about a damn thing any application does. Does an application constantly use half of your internet bandwidth sending spam? Well, Linux won't tell you it's doing that. Is it indexing your files and sending them to a remote server? Linux won't tell you. Is it recording your keystrokes as you log in to your online banking web site? Linux won't tell you. ...but god-forbid you attempt to set the system time, because Linux will intervene to stop you, and insist that you authenticate yourself before you do something so bloody dangerous, because, you know, it might be malware attempting to set the system time, and we can't allow that.
It's just retarded. Linux is 100% obsessed with protecting the Linux system itself, but doesn't give a fuck about protecting the user.
So this whole thread started with me suggesting that a better solution is application sandboxing, since aside from utilities that come with the OS anyway (like file browsers, archive tools, etc.) there are very few applications that need complete access to everything the user running the application has access to. So if you run an office application, the first time you run it, Linux asks what you expect it to do. You click "modify the occasional file I ask it to modify" and so Linux restricts its file I/O to what you give it access to via a file open/save dialogue provided by the OS, and also gives it its own little folder somewhere to store whatever data it needs to store, but doesn't grant it access to every file the user is allowed to access. It also allows it to present GUI windows and accept input from the user through them, but doesn't allow it full GUI access so that it can intercept keystrokes to other applications. If the application attempts network access, Linux tells you what it's trying to access, and you can approve or deny. If you deny, it tells the application that you did, and the application can try to make a case for why it needs that access, but you're still free to just say 'no' and the application can just not implement whatever feature it needs that network access for since apparently the user isn't interested. This is how real security works. You can download malware intentionally, run it in such sandboxing, and be in full control of what the malware does, rather than the malware being in full control of what your computer does. It's how it should be, and it pisses me off that everyone thinks that telling everyone "just don't run appliactions as root" and "don't run untrusted applications" and apparently now "just examine your process list now and then" is somehow good enough. It's not. People buy computers so that they can run software. Any solution that tells them not to run software is a solution that is not going to work, and I think everyone knows that and that's why they say "well, just don't run the software as root," but they're in denial about the problem if they think that is any sort of solution.
It's not that you're not running as root that is keeping your computer secure. It's that you're essentially not using it to its full potential. I mean, if you left it in the box, it'd be perfectly secure. Don't connect it to the internet? Still pretty secure. Connect it, but just don't ever run any software that didn't come with it? Not quite as secure, but still not too bad. Download only well-known software? Less secure, but not the worst. Download anything that claims to do anything you're interested in doing? Now you're almost doomed to get malware.
Current security advice is essentially "use your computer, but don't use it too much." It's bullshit. The purpose of computers is to run software, and our operating systems should be able to do that without it being a huge security risk. It's like running a prison. You can build individual cells, or you can house everyone in one huge room and just tell the warden "to keep your prison secure, you should keep only trusted prisoners, and avoid taking in just any random prisoner off the street." Then you build a little "root" tower in the center, and you put a good secure door on that, and indeed you manage to keep all of the prisoners out of the tower, but they're still shanking everyone in sight and climbing the prison walls to escape. ...but hey, it's all good as long as they don't get into the "root" tower, right? ...and besides, it isn't that the prison's security is poor, it's that damn warden who failed to properly screen the prisoners he accepted. So, I guess we'll just shoot all of the prisoners from the safety of the "root" tower, then pretend like the situation isn't doomed to repeat itself, because expecting the warden to screen prisoners and determine which will and won't be a problem before they're even in the prison is a perfectly acceptable thing to expect. I mean, it isn't like he bought the prison to keep prisoners, and so he expects to be able to do so, and telling him not to is essentially telling him to not use his prison for the only thing it is good for because it quite frankly isn't engineered well enough to be able to do it. It's just insecure to expect to be able to keep dangerous prisoners, and besides, everyone knows that as long as the "root" tower is protected, the prison is perfectly secure.