What makes Linux so different than Windows in terms of anti-virus needs?
My question is not if I should get an anti-virus for my Linux. I perfectly understand why an AV is important.
I would like to understand if there are conceptual (technical) differences which make Linux less vulnerable than Windows (comparing for example Ubuntu 14 and Windows 7).
There are several reasons why Windows is so heavily inflated with anti-virus products. (I am pointing to out-of-the-box (OOTB) experiences).
Windows users are, by default, local administrators, so any social engineering done on Windows can usually lead to an execution of software. Modern Linux has users set-up as low-privilege local users. It requires your password to elevate privilege.
Windows tried to simplify as many things as possible including security and looking back at its history their butchering (Windows Vista anyone?) of security controls left their user-base numb to constant false positives about software. The proverbial "Do you want to install this software? Do you REALLY want to install this software?" lead to just click-throughs or disabling UAC.
Software repositories vs standalone installs:
Linux has had software repositories forever and they provide a good mechanism for installing software. These are usually signed, approved, software being protected by companies with budgets for security following standards for security. (I know about the breaches to repositories in the past, but this is generally good). Windows users are used to pulling sources from everywhere and installing on their system, unsigned or not.
Users generally have different mindsets:
Windows is an all-purpose, all-user platform. It generally tries to solve everyone's problems and in doing so, OOTB doesn't protect the user like it should. This why Microsoft pushes so hard to force every piece of software to be signed by a "trusted signer". There's plenty of debate on this, but generally from a security standpoint this is smart; Microsoft just happens to have a track record that leaves trust to be desired.
Linux users are generally technical and the systems are usually server systems. That's why software usually comes with GPG keys and/or SHA/MD5 hash for comparison, as these are from a Linux administrator perspective, de-facto processes for installing software. I know many Linux users who ignore this, but I have yet to see a Windows administrator even think about it.
So it does go beyond market share.
Expansion:
I will address a few things from the comments (which have valid points.)
Repositories:
From an OOTB experience modern Linux distributions have pre-signed packages which are more for identifying that a package works with the distribution, but also proves a secure method for verification.
Other package management system have been discussed such as pip and npm which are independent of the distributions themselves and are servers to install specific packages for their particular programming language. It can be argued that there is no inherent way for verification on these systems. This is primary because Linux has a philosophy of programs doing one specific thing and doing it well. This is typically why multiple tools are used such as using GPG or PGP for integrity.
Script Downloads
cURL | sh has been mentioned and are truly no different than clicking on a .exe after you have downloaded the file. To point out, cURL is a CLI tool for transferring data. It can do authentication, but it doesn't do verification specifically.
UAC vs sudo
Lastly, here are a few things about these two security features.
UAC is an approval process for untrusted software installation. A user which has local administrator rights simple gets a yes or no (the behavior can be changed, but it's not default). I am still looking to see if this behavior has changed on Windows 8+, but I haven't seen anything on it.
Sudo is a fine-grained permission elevation system. By default it's essentially the same thing as UAC, but it has more ability to be configured to limit accessibility.
The reason for this tends to be historical. There is no reason why a modern desktop Linux should be particularly more resistant to malware when compared to a modern Windows desktop.
However there have been many more viruses for Windows than Linux amongst desktop users, which is down to factors such as the number of users of the respective platforms and also historical weaknesses in the Windows platform such as running as administrator all the time.
So from a market perspective, the reason is that there are more customers for Windows antivirus software than for Linux antivirus software, so as a result more vendors will go into that marketplace.
I think the most crucial factor for virus infection of desktop Windows system is, definitely, the culture and discipline of software distribution and installation.
While the average Linux user opens the package manager and get the vendor-built software package (and doesn't leave the official repository to find software in 90% cases), the average (non-IT) Windows user opens the browser's tab, and Google for "install 7-zip" or even "install file archiver", and very often accidentally navigates to malware-stuffed website, that is specially crafted and SEOed to catch such kind of users.
Every beginner Windows administrator will talk you a lot of stories about "ZipViewer.exe" and "ArchiveUnpacker.exe", that was found in the infected machine and was downloaded by the user. Of course, the experienced user types "7-zip.org" in the address bar, and download the installation package from the trusted website, but this just point us to the fact: the absence of central repository for windows software and the requirement to just to remember the list of trusted websites still creates the biggest vulnerability ever known in windows history.
I know the significant amount of people, who don't install antivirus software at all just because they know where to get the original software and how to configure a regular data backup.
Every working Windows malware can cause an epidemic infection. There are hundreds of millions of Win 8.1 boxes in the world and on many of them e.g. Acrobat Reader has been installed. It is a monoculture.
Linux on the other hand is less a monoculture. There are many different PDF viewers: Evince, Okular, mupdf, xpdf... There are many window managers: Gnome, KDE, i3, lxde... There are many different distributions.
So if you are able to infect one taste of Linux, this won't necessarily work on other installations.
Linux software usually is open source. If you'd like to become a developer of a software, you have to stick to it for a long time to get write access to git / svn / cvs of a running project. You can't offer only binaries to a distribution, you need to offer source code and if it doesn't compile from source, your software is out. So it is difficult to distribute malware.
What I wrote here are guesses, I'm not into software security.
There are some good answers here. I just wanted to add a couple of points.
There is a historical component to the argument that Linux is less vulnerable than Windows. Some of the basis for this suggestion is not as valid when referring to modern Windows implementations as it previously was.
Perhaps the biggest difference was originally due to differences in architecture. The *nix based systems have traditionally had a clear separation between user and kernel space. This separation restricted what processes run by the user could access/change. Early Windows didn't have as clear a separation, which meant things like user code affecting low level code or drivers was more possible. Later versions of Windows have worked towards a similar separation of system and user space. As an example, at one time, it was possible for user space processes to adversely affect low level services, such as the video subsystem, either due to malicious code run by the user or just buggy user level code. In this respect, this separation of system and user space has the benefit of both reducing exposure to malicious code and buggy code which could make the system less stable.
As mentioned by others, Windows traditionally also allowed the user account to also be a system admin account. This would be similar to having a Linux user account run with root privileges - essentially allowing processes to bypass any protection provided by separation of users and system.
I think it is also useful to distinguish between viruses and malware. One way to look at this is think of viruses as self populating - viruses can move from system to system without user interaction/input. Malware on the other hand requires the user to perform some action e.g. open an attachment, install an update, visit a web site with a drive-by exploit etc. While viruses are still a problem, by far, the real threat these days is from malware. As malware requires user interaction, the real threat is now more about social engineering and less about technical platform. At this level, both Windows and Linux are potentially similar in that both systems are increasingly similar (at a high abstracted concept level) in architecture re: user and system space. You can develop malware for either system and the extent to which that malware will work is similar (assuming modern Windows practice of not having your user account implicitly include admin privileges).
This means that in general, the real difference is mainly due to market share. As Linux has a much smaller market share, the potential pool of victims is smaller. If you're going to develop some malware, you will go for the biggest possible market - this means Windows. However, we are beginning to see malware for Linux and it is likely that if the Linux desktop market share were to increase, we would see increased malware problems for Linux. The point is that social engineering is now the key to malware distribution and platforms are less relevant. It is even likely that we will see more malware on Linux if we also see increased malware based on technology which is cross platform (for example JavaScript).
It is actually a little concerning there is a strong belief that Linux is immune to viruses and malware. This belief tends to make people feel they do not need to worry about normal best practices for protecting yourself e.g. not clicking on dodgy emails, opening suspicious attachments, installing software from unknown or untrusted sources etc. People will suggest Linux is more secure because much of the software is open source and you can inspect the source to see if it is malicious or not. This is a little misleading. Firstly, it is actually very difficult to inspect software to ensure it is OK - this takes considerable technical skill and familiarity with the language being used. The other problem is, most will assume someone else has done this, which may not be the case. Consider the number of important libraries and applications which have had significant security holes which have not been identified for quite some time i.e. openssl, libc and ghost etc.
Linux is less vulnerable at this time primarily because it represents such a small user segment in the market. If either the market grows or competitors improve their security to the point where malware becomes difficult to implement, we could very well see an increase in threats for Linux. Threats are increasingly dependent on social engineering to deliver their payload. To some extent, we are possibly reaching the limit of technical protection possible in modern systems. The most vulnerable component these days is the user. This means the underlying technology is becoming less relevant and what we really need to focus on is user education and awareness.
A fundamental problem with Windows' excuse for a security model--probably the biggest one--is that the only way a user can allow programs to do certain things that almost any installable program might need to do is to grant the program unlimited authority to do anything and everything it wants. If it were possible for Windows to say e.g. "This program would like to add a folder named 'FredMagic123' to every user's start menu and add icons to it; would you like to let it do this?", and if clicking "Yes" would grant the program the authority to do that but no other elevated privileges, then users could determine when programs were seeking permission to do things they had no legitimate reason to do be doing.
To make matters worse, Windows makes it difficult for programs to start up with normal permissions and then request elevated permissions later. Thus, if an installer will ever want to be able to install a program in such fashion as to be accessible to all users, it will often need to request elevated permissions before it can do anything else. Consequently, rather than allowing a program to be installed for a local user without needing elevated permission, and only require special permissions when installing for system-wide use, the normal behavior is for install programs to require full administrative permissions in order to do anything, even if in a typical install none of their actions would require any elevated permissions at all.
Linux has fewer viruses because it lacks market share.
False. Although Linux has less of a market share in desktops, it has a greater share of server installs. Servers are much more likely to be sought as specific targets as opposed to targets of opportunity.
Modern operating systems are all basically equally secure if correctly configured and administered.
False. Windows carries a lot of legacy code that was written without security concerns to maintain compatibility. Linux was much more security conscious in its initial design, and has had multiple pure security projects which has only made things better. Although Windows is much better than it was, it still has more room for improvement.
And just to be fair, let's debunk another myth: 'Linux by itself is good enough for security'. The greatest weaknesses in all operating systems are
At this time the botnet that is most alarming is composed entirely of linux powered routers that had default passwords and remote administration enabled.
Comparing Windows and Linux is like comparing apples and oranges structurally. Configuration plays a larger role in protection than any specific OS architecture, and it goes from physical security all the way to maintenance and upkeep. All security implementations can be removed in all operating systems, and corners can be cut in terms of maintenance and security in regard to how a user handles their machine. Therefore all operating systems equally share the same level of risk in terms of malware installation, because that risk is largely impacted by the user.
Viruses, malware, trojans, etc. on most platforms can be installed by someone who has enough privileges. If that person has enough privileges to allow the application to escalate its own permissions, the application may be extremely difficult to eradicate. If a user runs as "Administrator" on either Windows or Linux for example they have the ability to allow the installation of something malicious if they aren't careful. If that user inadvertently installs something they did not intend, it can potentially take over their machine, hide itself in the operating system, and make it very difficult to remove, sometimes even requiring a firmware update in the event of something like an EFI injection on a Mac.
Antivirus is like a security system when you have a door lock. If you think of the door lock as the built-in OS security, it will prevent a few things from happening without the user doing something like leaving the door unlocked. Because it exists, it may deter a would-be attacker because of its existence. Door locks keep honest people honest. A security system, like antivirus software, alerts the user to a possible intrusion. If the user acknowledges the warning and stops an intrusion in time, then the theft or break-in can be thwarted. If the user doesn't have a security system in place, they can only look at the aftermath of a break-in if the built-in protections of the operating system (or a door lock) are overcome.
That being said, not all security systems catch all problems, and not all antivirus engines catch all viruses, but if you have anything remotely worth protecting, it's worth protecting correctly.
Linux can in some varieties require significantly more maintenance in terms of installation. It's not easy to use for everyone and is created by people who aren't working for a major corporation (excluding Red Hat). Windows, can be easier to configure and maintain out of the box, however the user in both cases can help to render an operating system useless in terms of defence.
The amount of malware in a market at any given time has no affect on the future security of any given operating system. If all software patches are applied, then the user is current with their known vulnerabilities, provided the parties responsible for maintaining the software are up-to-date. There will however always be more zero-day attacks and attacks on undisclosed vulnerabilities where no patches exist.
