Are there technical differences which make Linux less vulnerable to virus than Windows?

There are several reasons why Windows is so heavily inflated with anti-virus products. (I am pointing to out-of-the-box (OOTB) experiences).

Windows users are, by default, local administrators, so any social engineering done on Windows can usually lead to an execution of software. Modern Linux has users set-up as low-privilege local users. It requires your password to elevate privilege.

Windows tried to simplify as many things as possible including security and looking back at its history their butchering (Windows Vista anyone?) of security controls left their user-base numb to constant false positives about software. The proverbial "Do you want to install this software? Do you REALLY want to install this software?" lead to just click-throughs or disabling UAC.

Software repositories vs standalone installs:

Linux has had software repositories forever and they provide a good mechanism for installing software. These are usually signed, approved, software being protected by companies with budgets for security following standards for security. (I know about the breaches to repositories in the past, but this is generally good). Windows users are used to pulling sources from everywhere and installing on their system, unsigned or not.

Users generally have different mindsets:

Windows is an all-purpose, all-user platform. It generally tries to solve everyone's problems and in doing so, OOTB doesn't protect the user like it should. This why Microsoft pushes so hard to force every piece of software to be signed by a "trusted signer". There's plenty of debate on this, but generally from a security standpoint this is smart; Microsoft just happens to have a track record that leaves trust to be desired.

Linux users are generally technical and the systems are usually server systems. That's why software usually comes with GPG keys and/or SHA/MD5 hash for comparison, as these are from a Linux administrator perspective, de-facto processes for installing software. I know many Linux users who ignore this, but I have yet to see a Windows administrator even think about it.

So it does go beyond market share.

Expansion:

I will address a few things from the comments (which have valid points.)

Repositories:

From an OOTB experience modern Linux distributions have pre-signed packages which are more for identifying that a package works with the distribution, but also proves a secure method for verification.

Other package management system have been discussed such as pip and npm which are independent of the distributions themselves and are servers to install specific packages for their particular programming language. It can be argued that there is no inherent way for verification on these systems. This is primary because Linux has a philosophy of programs doing one specific thing and doing it well. This is typically why multiple tools are used such as using GPG or PGP for integrity.

Script Downloads

cURL | sh has been mentioned and are truly no different than clicking on a .exe after you have downloaded the file. To point out, cURL is a CLI tool for transferring data. It can do authentication, but it doesn't do verification specifically.

UAC vs sudo

Lastly, here are a few things about these two security features.

UAC is an approval process for untrusted software installation. A user which has local administrator rights simple gets a yes or no (the behavior can be changed, but it's not default). I am still looking to see if this behavior has changed on Windows 8+, but I haven't seen anything on it.

Sudo is a fine-grained permission elevation system. By default it's essentially the same thing as UAC, but it has more ability to be configured to limit accessibility.


The reason for this tends to be historical. There is no reason why a modern desktop Linux should be particularly more resistant to malware when compared to a modern Windows desktop.

However there have been many more viruses for Windows than Linux amongst desktop users, which is down to factors such as the number of users of the respective platforms and also historical weaknesses in the Windows platform such as running as administrator all the time.

So from a market perspective, the reason is that there are more customers for Windows antivirus software than for Linux antivirus software, so as a result more vendors will go into that marketplace.


I think the most crucial factor for virus infection of desktop Windows system is, definitely, the culture and discipline of software distribution and installation.

While the average Linux user opens the package manager and get the vendor-built software package (and doesn't leave the official repository to find software in 90% cases), the average (non-IT) Windows user opens the browser's tab, and Google for "install 7-zip" or even "install file archiver", and very often accidentally navigates to malware-stuffed website, that is specially crafted and SEOed to catch such kind of users.

Every beginner Windows administrator will talk you a lot of stories about "ZipViewer.exe" and "ArchiveUnpacker.exe", that was found in the infected machine and was downloaded by the user. Of course, the experienced user types "7-zip.org" in the address bar, and download the installation package from the trusted website, but this just point us to the fact: the absence of central repository for windows software and the requirement to just to remember the list of trusted websites still creates the biggest vulnerability ever known in windows history.

I know the significant amount of people, who don't install antivirus software at all just because they know where to get the original software and how to configure a regular data backup.