Chromebooks are a popular solution for people who primarily use computers to go online, for students, and for security professionals. They are inexpensive, reliable, and secure. But since security is a big motivator behind Chromebooks, that raises a question: Do Chromebooks need antivirus protection?
Viruses don’t like Chromebooks
Many people will tell you that Chromebooks don’t need antivirus, or can’t get viruses, and then backtrack on you. I’ll see if I can do a better job of explaining it.
Despite what marketers will tell you, no computer is invincible. Our experience with Windows computers trains us to automatically install antivirus and firewall software to protect any computer. But antivirus and a firewall doesn’t make a computer invincible either.
Google decided to take a different approach with Chromebooks–a phone-like approach. Google severely limits what software runs on them in the first place. Many Chromebooks have no facility for installing additional software. Those that do can install Android apps from the Google Play store. Google doesn’t curate the Play store quite as closely as some people would like, but it’s far from the wild west that traditional software ecosystems are.
Furthermore, Chromebooks store their data on Google’s servers, not on the Chromebook itself. Google scans the stored files for viruses, in effect shifting the responsibility for antivirus away from the Chromebook and putting it on the servers in the cloud.
Chromebooks enforce an application whitelist, which security professionals agree is more effective than antivirus anyway. If you don’t enable the Google Play store on your Chromebook, you don’t need antivirus protection. Even if you do enable the Google Play store, being careful about what you install gives you better protection than antivirus would.
Even though a Chromebook theoretically can’t get infected, it can transmit a virus under some circumstances. It can also claim to have a virus even though it doesn’t. Fortunately, there is something you can do about that. It doesn’t cost anything and only takes a minute.
So why does my Chromebook say it has a virus?
Viruses for other computers won’t run on a Chromebook, and it would be extremely difficult for a virus to exist on a Chromebook. But it’s still possible to install a malicious Chrome extension, and a malicious website can still display a screen that claims your computer is infected and even demand a payment to clean it up.
Most people don’t need to install Chrome extensions at all. If you do install any extensions, make sure you know what they do. Chrome does a nice job of warning you about what an extension is capable of doing. If Chrome’s warnings make you nervous, don’t install it.
To check on your extensions, open Chrome. From the Chrome menu, navigate to More tools > Extensions to check on them.
If you’re browsing a web page and then you suddenly get a red screen playing scary sounding audio and demanding that you call an 800 number, turn your computer off. It’s a scam. Sometimes I’ll call those guys and mess with them, but if you’re not an IT professional, I don’t recommend engaging them. They’re criminals, and they’re actually not all that knowledgeable about computers either. If you really did have a problem, they wouldn’t be able to fix it.
Changing DNS settings to protect your Chromebook
While you can’t install antivirus on a Chromebook, there is one security enhancement I do want you to do on it. I want you to change it to use DNS servers of 220.127.116.11 and 18.104.22.168, or better yet, Cleanbrowsing.org’s servers at 22.214.171.124 and 126.96.36.199. DNS is basically the Internet’s phone directory, and those specific DNS servers make use of blacklists maintained by reputable security researchers.
Using them makes your computer more hostile to viruses and malware, and blocks a good number of those web pages that transmit fake virus messages. Even when it fails to block them, it often keeps them from working properly. None of my immediate family members have seen a fake virus message since I started using these two servers. It also may speed up your Internet slightly, since it’s likely to be faster than your ISP’s DNS.
When was the last time virus protection sped up your computer?
Making the change
Click the notification tray, then click the gear. Click the Wi-Fi option in the Settings screen. Then click on the name of your wifi network to expand it. Scroll to the bottom to the section called Name servers. It’s probably set to Automatic name servers. Click that setting and choose Custom name servers.
In the blanks labeled Name servers, enter 188.8.131.52 and 184.108.40.206, like in the screenshot to the right (only you see different servers there–I’ve found better ones since that screenshot).
Unfortunately you have to make this change on a per-network basis. So if you connect to more than one wifi network, you’ll have to change DNS for those additional networks as well.
You can also make the change on your router instead, if you are comfortable doing that. Every router is different, so you’ll need to refer to your router’s documentation for instructions on how to do that.
What this does
Using these DNS servers isn’t a guarantee that it will block all of those messages. But it should block many of them. The fake messages are actually harmless, but they’re annoying. So it’s nice not to see them in the first place. These DNS servers can also interfere with spam and phishing e-mail messages.
Making this change doesn’t cost anything. It also doesn’t interfere with normal web browsing. The companies who run these servers take precautions to protect normal, legitimate Internet usage.
This change doesn’t make you invincible. But if a Chromebook is a 9 out of 10, security-wise, this change bumps it up a bit more. No computer rates a perfect 10. But a Chromebook with this change gets you about as close as anything can get to a 10.
What about a firewall? Do Chromebooks need a firewall?
Chromebooks have a firewall that operates behind the scenes. There’s nothing the end user needs to do to enable it or change it. There isn’t a lot of need to change the firewall anyway, due to the way Chromebooks work. Firewalls that run on Windows limit what programs are able to connect to the Internet and how. Chromebooks already severely limit those things, beyond what a firewall does.
I’ve never liked most consumer firewall products. They go out of their way to show you how much they’re doing for you, and that adds complexity. It also tends to lead to unhealthy levels of either complacency or paranoia.
I really like how Chromebooks keep it simple.
Security professionals recommend Chromebooks for a reason
Security professionals recommend Chromebooks because they were designed with security in mind. They do a good job of protecting your data, both in memory and in use. They limit the programs that can run and severely limit how much those programs can interact with each other.
These design decisions make it difficult to write a virus for Chrome OS. They limit what a virus would be able to do if someone did write one. And the solve other security issues in the process.
You still need to be careful about reading e-mail from strangers, but you’d have to do that anyway, on any computer. The human is almost always the weakest link in a computer system. But on a Chromebook, the human is the only known weak link.
One of the very best things you can do to protect yourself online is to buy a Chromebook and dedicate it to banking and bill paying. Don’t do online banking or bill payments on any other computer. And don’t use that Chromebook for anything but banking and bills. You can get a refurbished Chromebook on Ebay for around $75 if you’re not worried about what it looks like. Just make sure it comes with the AC adapter and the screen and keyboard aren’t damaged. For a bit more money, you can get a nicer one.
Chromebooks don’t need antivirus, but that’s not the only reason to buy one.