Microsoft has added detection in WINDOWS DEFENDER for the “infection” by the Exchanger Server ZERO DAY OWA attack that was active between February 26 and March 3.
Does WebRoot detect the presence of these web shell back doors on Exchange Servers.
Security Outfits have been running a worldwide inventory of the IP addresses with OWA exposed and sending the owners warnings and recommendations.
I checked our server for several indications a week ago, but just receive another warning that we are probably infected, with WINDOWS DEFENDER as the recommended detection agent.
“Please review the information below and check for indications of a web shell which could be identified as “Chopper” or “ASP/Chopper” or similar by Windows Defender. Please be aware that this form of compromise may enable second stage or derivative compromise activity and a full incident response activity is recommended. Please see the below links for more details.”
We have WebRoot on our Exchange Server which means that Windows Defender is disabled (actually not installed)