Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

OfficeScan Protection Against Shellshock Linux Bash Vulnerability

    • Updated:
    • 24 Nov 2016
    • Product/Version:
    • OfficeScan 10.6
    • OfficeScan 11.0
    • OfficeScan 11.0
    • OfficeScan XG
    • OfficeScan XG.All
    • Platform:
    • Windows 2003 Datacenter 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Server R2
    • Windows 2003 Standard
    • Windows 2003 Standard 64-bit
    • Windows 2008 Datacenter
    • Windows 2008 Datacenter 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server Core
    • Windows 2008 Server R2 Enterprise
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 2008 Web Server Edition
    • Windows 2008 Web Server Edition 64-bit
    • Windows 2012 Datacenter R2
    • Windows 2012 Enterprise
    • Windows 2012 Server Essential R2
    • Windows 2012 Server Essentials
    • Windows 2012 Standard
    • Windows 2012 Standard R2
    • Windows 2012 Web Server Edition
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows 8 32-bit
    • Windows 8 64-bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Home
    • Windows XP Professional
    • Windows XP Professional 64-bit

This article is about utilizing OfficeScan’s Global C&C Callback Feature for an additional layer of internal protection against the Shellshock Linux Bash Vulnerability [CVE-2014-6271 and CVE-2014-7169].

A serious vulnerability has been found in the Bash command shell, which is commonly used by most Linux distributions. Commonly referred to as “Shellshock,” this vulnerability (CVE-2014-6271 and CVE-2014-7169) allows an attacker to run commands on an affected system. In short, this allows for remote code execution on servers that run these affected Linux distributions.

Trend Micro has identified that one potential way of exploiting or attacking a vulnerable Unix/Linux/MAC system is from within the boundaries of a network, bypassing perimeter security. These attacks potentially could come from Windows-based machines. 

To prevent against this type of attack, Trend Micro proactively recommends customers who have deployed OfficeScan versions 10.6 Service Pack 3 or 11.0 to enable a feature known as Global Command & Control (C&C) Callback to prevent potential attackers in using an OfficeScan protected endpoint from within the network to attack a Shellshock vulnerable Unix/Linux/MAC based machine. 

The Global C&C IP list works in conjunction with Trend Micro’s Network Content Inspection Engine (NCIE) to detect network connections with Trend Micro confirmed C&C servers. Trend Micro has release a specific NCIE rule around Shellshock that will detect a C&C server contact through any network channel, and the Suspicious Connection Service logs all connection information to servers in the Global C&C IP list for evaluation.

By enabling this feature internally on supported OfficeScan clients, organizations can add extra layer of protection from within their environments against Shellshock-vulnerable systems.

For more background information on Shellshock, including some additional tools and information, please visit Trend Micro’s landing page at:


Customers can enable OfficeScan’s Global C&C Callback functionality by using the instructions below for their respective version.

OfficeScan 10.6 Service Pack 2 with Custom Defense Pack or Service Pack 3

  1. Open the OfficeScan server console.
  2. Navigate to Networked Computers > Global Client Settings.
  3. Go to the C&C Contact Alert Settings section.
  4. Enable the "Log network connections between agents and Trend Micro confirmed C&C IP addresses" option.
  5. Select "Log connections from all endpoints" or "Only endpoints running specific operating systems".
  6. Click Save.

You may also visit the Online Help file for OfficeScan 10.6 by visiting this link.

OfficeScan 11.0 & XG

  1. Open the OfficeScan server console.
  2. Navigate to Agents > Agent Management.
  3. Select the group/domain you wish to apply the settings to.
  4. Click on Settings > Suspicious Connection Settings.
  5. Enable the following:

    • Log network connections made to addresses in the Global C&C IP list
    • Log and allow access to User-defined Blocked IP list addresses
    • Log connections using malware network fingerprinting
    • Clean suspicious connections when a C&C callback is detected
  6. Click Apply to All Agents and click Close.
  7. Click Settings > Additional Service Settings.
  8. Under Suspicious Connection Service, select "Enable service on the following operating systems".
  9. Click Apply to All Agents, then click Close.

You may also visit the Online Help file for OfficeScan 11.0/XG by visiting this link.

In addition, customers are encouraged to review their OfficeScan settings and compare them with our best practice guide for malware, which can be found here.

What if I have additional questions?

For additional inquiries, contact Trend Micro Technical Support.

Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.