Stop Zscaler Netskope or Cylance services on macOS

README.md

Disable macOS Cylance Zscaler or Netskope

The following scripts can be used to disable common security compliance software that blocks access to the Internet on corporate managed macOS computers. These scripts will not uninstall the software.

You may be asked to enter a password for command operations that require elevated privileges via sudo. If you do not have permission to run commands as a root user with sudo then these scripts will not work for you.

The changes made by these scripts may be reset after reboot. Where a 'stop' script makes a change to prevent automatic restarts, a 'start' script will be provided to reset any change back to normal.

Installation

Download the script/s to stop the relevant software shown below. You do not need to download all scripts. Only download the script that is relevant to you.

NOTE: Using curl to access gist.github.com may not work when Zscaler or Netskope are running. If so, use another method to download the script contents.

Zscaler stop/start

curl -L https://gist.github.com/christopher-hopper/c8033839ef927a201feb8a8e8d256ed7/raw/zscaler-stop.sh -o zscaler-stop.sh && chmod ug+x $_

Netskope stop

curl -L https://gist.github.com/christopher-hopper/c8033839ef927a201feb8a8e8d256ed7/raw/netskope-stop.sh -o netskope-stop.sh && chmod ug+x $_

Cylance stop

curl -L https://gist.github.com/christopher-hopper/c8033839ef927a201feb8a8e8d256ed7/raw/cylance-stop.sh -o cylance-stop.sh && chmod ug+x $_

TIP: Optionally, after download move the script into the /usr/local/bin folder so you can execute it from anywhere.

Usage

After download and install the script can be executed in the terminal.

Usage: zscaler-stop.sh

Top stop Zscaler, in a terminal run the script:

./zscaler-stop.sh

To restart Zscaler, run the script with the start argument:

./zscaler-stop.sh start

To check if Zscaler is listening and get usage help, run the script with the help argument:

./zscaler-stop.sh help

Usage: netskope-stop.sh

In a terminal run the script:

./netskope-stop.sh

After running the ./netskope-stop.sh script you will need to find and stop the Netskope Client proxy in your macOS System Settings.

1. Open macOS Apple menu 🍎 > System Setting dialog.
2. Click on 🌐 Network in the sidebar.
3. Click on VPN & Filters on the right.
4. Under Filters & Proxies find the Netskope Client Transparent Proxy and select it.
5. Once selected, use the minus button to remove it.

This will stop the transparent proxy from routing your traffic through Netskope.

Usage: cylance-stop.sh

In a terminal run the script:

./cylance-stop.sh

cylance-stop.sh

#!/usr/bin/env bash
# vim: ai ts=2 sw=2 et sts=2 ft=sh

# Exit on error unless '|| true'.
#set -o errexit
# Exit on error inside subshells functions.
set -o errtrace
# Do not use undefined variables.
set -o nounset
# Catch errors in piped commands.
set -o pipefail

# Allow empty globs.
shopt -s nullglob

IFS=$' '

main ()
{
  local _cylaunchd
  local _cyplist
  local _cykext
  local _procname

  _procname="cylance"

  # List launchd cylance services running.
  for _cylaunchd in $(launchctl list | grep -i "$_procname" | tail -r | cut -f 3); do
    echo -e "--- Remove: ${_cylaunchd}" 1>&2
    sudo launchctl stop "$_cylaunchd" || true
    sudo launchctl remove "$_cylaunchd" || true
  done

  # List launchd cyclance plist files.
  for _cyplist in /Library/LaunchDaemons/*"$_procname"*; do
    echo -e "--- Unload: ${_cyplist}" 1>&2
    sudo launchctl unload "$_cyplist" || true
  done

  echo -e "--- Kill: CylanceSvc" 1>&2
  killall CylanceSvc

  # List kextstat cylance kernel extensions.
  for _cykext in $(kextstat | grep -i "$_procname" | tr -s ' ' | tail -r | cut -d ' ' -f 7); do
    echo -e "--- Unload: ${_cykext}" 1>&2
    sudo kextunload -v 3 -b "$_cykext" || true
  done
}

main

netskope-stop.sh

#!/usr/bin/env bash
# vim: ai ts=2 sw=2 et sts=2 ft=sh

# Exit on error unless '|| true'.
#set -o errexit
# Exit on error inside subshells functions.
set -o errtrace
# Do not use undefined variables.
set -o nounset
# Catch errors in piped commands.
set -o pipefail

# Allow empty globs.
shopt -s nullglob

# Separator for expansion.
IFS=$' '

# Globals
# Set variables for current file, directory.
__dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
__file="${__dir}/$(basename "${BASH_SOURCE[0]}")"
__base="$(basename "${__file}" .sh)"
__invocation="$(printf %q "${__file}")$( (($#)) && printf ' %q' "$@")"

main ()
{
  local __launchd
  local __daemons_plist
  local __agents_plist
  local __proc_name
  __proc_name="netskope"

  # List launchd services running.
  for __launchd in $(launchctl list | grep -i "$__proc_name" | tail -r | cut -f 3); do
    echo -e "--- Remove: ${__launchd}" 1>&2
    sudo launchctl stop "$__launchd" || true
    sudo launchctl remove "$__launchd" || true
  done

  # List root LaunchDaemons plist files.
  for __daemons_plist in /Library/LaunchDaemons/*"$__proc_name"*; do
    echo -e "--- Unload: ${__daemons_plist}" 1>&2
    sudo launchctl unload "$__daemons_plist" || true
  done

  # List user LaunchAgents plist files.
  for __agents_plist in /Library/LaunchAgents/*"$__proc_name"*; do
    echo -e "--- Unload: ${__agents_plist}" 1>&2
    launchctl unload "$__agents_plist" || true
  done

  for __pid_num in $(sudo ps aux | grep -i "$__proc_name" | grep -v "$__base" | grep -v "grep" | tr -s ' ' | cut -d' ' -f 2); do
    echo -e "--- Kill: $__proc_name [$__pid_num]" 1>&2
    sudo kill -9 "$__pid_num" || true
  done
}

main

zscaler-stop.sh

#!/usr/bin/env bash
# vim: ai ts=2 sw=2 et sts=2 ft=sh

# Exit on error unless '|| true'.
#set -o errexit
# Exit on error inside subshells functions.
set -o errtrace
# Do not use undefined variables.
set -o nounset
# Catch errors in piped commands.
set -o pipefail

# Enable case-insensitive globbing
shopt -s nocaseglob
# Allow empty globs.
shopt -s nullglob

IFS=$' '

# Globals.
export Z_PROC="Zscaler"
export Z_APP="/Applications/Zscaler/Zscaler.app"
export Z_BIN="${Z_APP}/Contents/MacOS/Zscaler"

## Stop Zscaler
#
# This function prevents Zscaler from being executed or restarted by
# changing the execute permissions of the Zscaler binary. It also
# stops the Zscaler process if it is running.
#
stop ()
{
  local _zslaunchd
  local _zsplist

  # Prevent Zscaler from being executed or restarted.
  echo -e "--- Disable: Zscaler app executable" 1>&2
  sudo chmod -vv a-x "${Z_BIN}"

  # List launchd zscaler services running.
  for _zslaunchd in $(launchctl list | grep -i "${Z_PROC}" | tail -r | cut -f 3); do
    echo -e "--- Remove: ${_zslaunchd}" 1>&2
    sudo launchctl stop "$_zslaunchd" || true
    sudo launchctl remove "$_zslaunchd" || true
  done

  # List launchd zscaler plugin plist files.
  for _zsplist in /Library/LaunchDaemons/*"${Z_PROC}"*; do
    # Skip non-existent files (nullglob).
    [[ -e "$_zsplist" ]] || continue
    echo -e "--- Unload: ${_zsplist}" 1>&2
    sudo launchctl unload "$_zsplist" 2>/dev/null || true
  done

  echo -e "--- Kill: Zscaler" 1>&2
  killall "${Z_PROC}" 2>/dev/null || true
}

## Start Zscaler
#
# This function enables Zscaler to be executed or restarted by changing the
# execute permissions of the Zscaler binary. It also restarts the Zscaler
# process if it is running.
#
start ()
{
  # Allow Zscaler to be executed or restarted.
  echo -e "--- Enable: Zscaler app executable" 1>&2
  sudo chmod -vv a+x "${Z_BIN}"

  echo -e "--- Restart: Zscaler app" 1>&2
  killall "${Z_PROC}" 2>/dev/null || true
  open -a "${Z_APP}" -g
}

## Check Zscaler open network connections
#
# This function displays all open network connections used by Zscaler.
#
check ()
{
  echo -e "--- Check: Zscaler open network connections" 1>&2
  sudo lsof +c0 -Pi -a -c "/${Z_PROC}/i"
  echo -e "" 1>&2

  echo -e "--- Check: Zscaler app binary" 1>&2
  if [[ -x "${Z_BIN}" ]]; then
    echo "ENABLED: ${Z_BIN}"
  else
    echo "DISABLED: ${Z_BIN}"
  fi
  echo -e "--- Check: end" 1>&2
  echo -e "" 1>&2
}

# Main entry point.
#
# This function is called with the arguments passed to the script.
#
# @param $@ The arguments passed to the script.
#
# @example
#   ./zscaler-stop.sh stop
#   ./zscaler-stop.sh start
main ()
{
  if [[ "${1:-stop}" = "stop" ]]; then
    check
    stop
  elif [[ "${1:-}" = "start" ]]; then
    start
  else
    check
    echo "Usage: $0 [stop|start]" 1>&2
    exit 1
  fi
}

main "$@"

How can I tell if Zscaler is running?

If you reboot macOS your system may attempt to restart the Zscaler proxy in the background, even though the Zscaler client application is not running. Check to see if the Zscaler proxy is actively listening with this command:

sudo lsof +c0 -Pi -a -c "/zscaler/i"

The command above will show all network connections open for "zscaler".

Zscaler proxy listens on port 9000. If you see Zscaler listening on port 9000 run the zscaler-stop.sh script again to kill it.