Cisco Umbrella is Malware

Hey all,

I came to DevOps by the unusual path of network engineering. Tons of fun, and I got to rub shoulders with all sorts of business owners, InfoSec teams, and even some high-performance application owners.

I have a broad respect for network technologies — it’s forgotten, but like most foundational technology, we wouldn’t get very far without it in place.

Cisco’s Umbrella does a great job at keeping computers safe. It grabs all DNS and sends it to the Umbrella (well now Cisco) cloud for filtering, where enterprise policies can be applied. I have no objection to this model — it works great, it’s an effective method for security.

Image for post
Image for post
Image source:

However, I run into an issue that I’m sure others do as well — Cisco Umbrella is sticky. Like, crazy sticky.

I run my own consulting firm, so my personal laptop is also my work computer . I use that computer to connect to a client who uses Umbrella integrated into AnyConnect. I installed it, in fact. On connection, Umbrella is installed and activated. That’s fine, and a good model for an enterprise.

HOWEVER, when I disconnect from this client Umbrella hangs around. Umbrella used to be its own service that you could (annoyingly) load or unload using the launchctl tool on mac computers. Unfortunately, that no longer works because Umbrella is integrated into a single launchctl plist.

Which leaves me stuck, with this stupid, very annoying DNS filter on my personal computer. There’s no method to turn it off, no method for you to pinky-swear that your personal computer on your home network doesn’t need to abide by computer X’s enterprise internet filtering policies.


So I built the script to do both things — you can break Umbrella and AnyConnect, and you can run the script again to fix it.

I have creatively named it the Umbrella Breaker (tm). Please see the source code here:

Have fun out there folks!

Written by

NetOps/DevOps engineer, consultant, business owner, Pluralsight author. Fascinated with computer security and privacy policy. Teacher. He/Him.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store