I involuntarily became a Cisco Umbrella customer recently. I am using customer in the loosest sense of the word since all I did was sign up for a trial account to validate a few things. I recently heard that Umbrella had classified my site as a malware site. I registered for a trial account and confirmed that Umbrella flagged my domain on 1 Nov 2022.
I submitted a request to have my domain removed from their malware category, and then I waited. Their first level responders just forward over the ticket to another group for investigation. In the mean time, Umbrella sent me the typical marketing emails about getting the most of my trial. They even sent me a few less-than-helpful links about Linksys and CradlePoint devices. I spent my time doing a bit of research while I was waiting.
I discovered that Umbrella had classified all of the FQDNs in my personal domain as malware. They even classified two static HTML single page sites as malware. I checked my other domains to see if any of them were false positives for malware. None of my other had been misclassified. I was surprised by some of the data that they provided. Some of their data was completely wrong, and some of it seemed completely made up. Umbrella tagged on of my domains with the following statement: We suspect it may be a Fast Flux For those that are not familiar, fast flux is a technique that botnets use to evade blocks. Coincidentally, this particular site of mine has been hosted on the same IP address for nearly five years. Their fast flux suspicions are completely unfounded. Umbrella evaluates risk on four scores: Geo Popularity Score, Keyword Score, Lexical Score, and TLD score. Even nonexistent domains have scores. I do find it curious that an imaginary domain that has never been registered shares keywords with malware sites.
In any case, Umbrella finally removed my domain from the malware category. I am still researching if my site or I have suffered any reputational damage.