Backdoor:Win64/GoDropper.A

Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts. Follow these steps to investigate:

1. Immediately isolate the affected device. If GoDropper has already launched, it is likely that the device is under complete attacker control.
2. Investigate how the affected device might have been compromised. Check the device for new files that might already have been downloaded, and check web proxy logs to identify other websites where the files might have been downloaded from.
3. Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
4. Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for reverse shells on affected devices, or other tools the attackers might have dropped to enable credential access, lateral movement, and other attack activities. Submit relevant files for deep analysis.
5. Contact your incident response team. If you don't have one, contact Microsoft support for investigation and remediation services.

Guidance for enterprise administrators   

• Harden internet-facing assets and ensure they have the latest security updates. Use  threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
• Remediate vulnerabilities or misconfigurations in web applications and web servers. 
• Implement proper segmentation of your perimeter network, such that a compromised web server does not lead to the compromise of the enterprise network.
• Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
• Enable antivirus protection on web servers. Turn on cloud-delivered protection to get the latest defenses against new and emerging threats. Users should only be able to upload files in directories that can be scanned by antivirus and configured to not allow server-side scripting or execution.
• Utilize the Microsoft Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
• Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
• Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
• Turn on attack surface reduction rules, including rules that block ransomware activity and other activities associated with human adversaries. To assess the impact of these rules, deploy them in audit mode.
• Turn on tamper protection features to prevent attackers from stopping security services.
• Use Microsoft Defender for Office 365 for enhanced protection and coverage against new multi-faceted threats and polymorphic variants. Microsoft 365 Defender correlates threat data from endpoints, email and data, identities, and apps to coordinate cross-domain protection.
• Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity. 
• Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges.

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.