When I started VeraCrypt program I got a pop-up indicating that a virus known as Madien Attack successfully hacked into my encrypted system and the program advised me to change my password - is this legit?
Thanks.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This popup is a VeraCrypt message that was added in version 1.13 in order to detect a special attack against system encryption.
Can you please explain your configuration? Did this error happen just after upgrading to 1.13 or you booted your PC several times using 1.13 without this error and then it happened suddenly?
Did you restore your bootloader using an older Rescue Disk?
It is possible that it is just a false positive but it also could be be that something has modified your bootloader.
Until you give more details, we can't know for sure.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I had have not made any changes to my bootloader at all; it just appeared when I run Veracrypt on Windows 10. I do not recall anyone have physical access to my machine (where Evil Maiden gets installed via physical access) since I am the only person at home.
If you need more information: please be specific. Thank you.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
First, your post are moderated because you are posting anonymously.
Unfortunately, there is a huge number of spam posts and moderation is required.
But I have decided to forbid anonymous posting because the burden of moderation is becoming too heavy....
Just a question: Are you using system encryption? I guess the answer is yes.
What version did you use to encrypt your system the first time? What algorithm are using for system encryption?
Did you encrypt only the system partition or the whole disk?
This is probably a false positive but I still don't see how this could happen.
Thank you for your help.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm using Windows 7 on a Asus laptop. It's new and has never been out of my sight. Only "gremlins" could have gained access to it :) But... After upgrading to 1.13 I also get the "Evil Maiden" message every time I boot. I've changed the password and still get the same results. Could it be something specific to the Asus line of laptops?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This is amazing especially that it still appears after changing the password.
The detection mechanism reads the bootloader and compares it with the internally stored value. The error is displayed when there is a mismatch.
After changing the password, a new bootloader is written so the error should go away.
A possible explanation is that there is something on you Asus PC that always modifies the bootloader...
I happen to have an Asus laptop that is encrypted with VeraCrypt and I didn't have any issue after upgrading to 1.13 (I encrypted the whole disk not just the system partition).
To rule out any possible bug in the detection mechanism, can you please share details about your configuration:
Do you more than one disk in your laptop? Can you share your disk partitions layout?
Did you set specific system encryption settings like a custom pre-boot message?
Whole disk encrypted or just the system partition?
PRF used (SHA256, RIPEMD160)
Cipher used: AES, Twofish, AES-Twofish....
Are you running a decoy OS/hidden OS?
Thank you in advance for your help in understanding this issue.
Many tests on different configurations have been conducted to validate this detection mechanism, that's why I'm puzzled by this.
Hopefull for you, this is just a false positive eventhough I don't see how...
The last option would be to implement a way to extract the bootloader so that it can be checked manually.
Last edit: Mounir IDRASSI 2015-08-19
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have only one disk on my laptop.
There is NO custom preboot message. I encrypted it with the default settings.
I used whole disk encryption
I used SHA256
I used AES
I'm not running any decoy or hidden OS
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Another user on this forum may have discovered the original of this false positive: it's FLEXnet Publisher activation software used by Adobe Photoshop, Adobe Acrobat and other software for license management.
Basically, FLEXnet write data to the first drive track and thus it modifies the bootloader. VeraCrypt is able to boot nevertheless because we keep a copy of the bootloader at the end of the first track which is not touched by FLEXnet.
As noted in the documentation, this is not a bug in VeraCrypt but rather an inapropriate design of the FLEXnet software.
Tampering with the bootloader in the case of system encryption is definitely very bad and in this case you can have any garanree about the security of your system.
One can propose to modify VeraCrypt "Evil Maid" detection mechanism to accomodate FLEXnet case and check only the bootload backup part if the boot was done using the backup but this will give attacker a way to bypass the detection mechanism!
That's why the only thing that can be done in VeraCrypt is to add an option to disable the "Evil Maid" attack detection (administrative privileges will be needed).
It is unfortunate that FLEXnet has this bad design because it gives the possibility to attackers to hide bootloader modifications alongside FLEXnet one and go undetected. This is a malware welcoming approach!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Since the password change solved your issue, this confirm that something has indeed modified the bootloader. If it is not an external attack nor FLEXnet, it must be some other software component.
Anyway, if your encounted the Evil Maid warning again, you should seriously check what is running on your machine.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've done some research and have discovered that Asus has it's own specialized package of software called the ATK package. It's put on all Asus computers. It's responsible for things like allowing the Asus-specific function keys to work, sleep and sound functionality, and other aspects of a Asus-specific computer.
Could this be the culprit?
Last edit: Crypto 2015-08-25
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Look in your services for the FLEXnet Licensing services to ensure they don't exist. There can be two of them, a 32bit and 64bit versions. They do persist, like malware, even after you remove/uninstall the software that required them. The only way I could actually uninstall them was to go into the Windows registry and remove them in there, along with deleting the actual files off the disk. Although just disabling the services could work as well.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Found it! It turns out that Plantronics Spokes support software will re-install FLEXnet upon re-boot if FLEXnet isn't found. Spokes is relly only used with Skype and all it does is make the buttons on my USB headset work. I'd rather be protected against Evil Maiden so I removed Spokes, changes the password, re-booted and everything works fine now.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
No. I do not have any type of PLantronics spokes. However, I do have Photoship installed therefore I do not know if I have FLEXnet in my system or not. Is there a way I can find out?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have changed my password on numerous of occasion and I still get Evil Maiden notification. So I am not sure if I am under attack or it's just a false postive. Did it solve my problem by changing the password? NO.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If you have Photoshop, then you certainly have FLEXnet on your system. Other users have described have you can check its existence by looking at the services running on your Windows.
Unless you remove or disable FLEXnet, you will always get this Evil Maid warning since FLEXnet actually modifies the bootloader.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I scanned the registery using regedit and I don't see FLEXnet service there. I checked the service and there's no FLEXnet installed there as well. Strange.
And, oh, my bad: I do not have Photoshop installed.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I replied to Mounir but it's not showing up. So I will summarize:
1) I initially thought I had Photoshop installed but nope it's not there.
2) I do not have FLEXnet service installed as I scourged through regedit. Also, FLEXnet service isn't installed via service tab.
3) I do not have any Adobe service installed in my system: not planning to anytime near the future. Adobe is so invasive.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've tried to increase a volume size using the volume expander, but I still don't know how to make it like if it was a new volume, I've tried expanding many and it shows the new increased size but it shows that I'm using part of the new space.
I made a 10MB volume, then expanded it to 35MB and it says that I'm using 9MB, and I didn't even put anything inside before or after expanding it.
Sometimes it says that the empty space is the same as it originally was before expanding it. If I have a 50MB volume with 15MB free, expand it to 100MB and still says I have 15MB free.
Tried filling space with random checked and unchecked and still the same.
I don't know how to make it work properly.
In other topic: Is it normal that Whirlpool volumes take a bit longer to open? It takes a bit more than SHA-512 volumes with same amount of iterations using PIM.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
When I started VeraCrypt program I got a pop-up indicating that a virus known as Madien Attack successfully hacked into my encrypted system and the program advised me to change my password - is this legit?
Thanks.
This popup is a VeraCrypt message that was added in version 1.13 in order to detect a special attack against system encryption.
Can you please explain your configuration? Did this error happen just after upgrading to 1.13 or you booted your PC several times using 1.13 without this error and then it happened suddenly?
Did you restore your bootloader using an older Rescue Disk?
It is possible that it is just a false positive but it also could be be that something has modified your bootloader.
Until you give more details, we can't know for sure.
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
No, this happened before I upgraded to 1.13 and after it as well. Here's the picture:
[IMG]http://i62.tinypic.com/w0oymv.jpg[/IMG]
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
Why does my posts needs to be moderated everytime I submit a post? Get rid of it.
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
I had have not made any changes to my bootloader at all; it just appeared when I run Veracrypt on Windows 10. I do not recall anyone have physical access to my machine (where Evil Maiden gets installed via physical access) since I am the only person at home.
If you need more information: please be specific. Thank you.
First, your post are moderated because you are posting anonymously.
Unfortunately, there is a huge number of spam posts and moderation is required.
But I have decided to forbid anonymous posting because the burden of moderation is becoming too heavy....
Just a question: Are you using system encryption? I guess the answer is yes.
What version did you use to encrypt your system the first time? What algorithm are using for system encryption?
Did you encrypt only the system partition or the whole disk?
This is probably a false positive but I still don't see how this could happen.
Thank you for your help.
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
I'm using Windows 7 on a Asus laptop. It's new and has never been out of my sight. Only "gremlins" could have gained access to it :) But... After upgrading to 1.13 I also get the "Evil Maiden" message every time I boot. I've changed the password and still get the same results. Could it be something specific to the Asus line of laptops?
I'm seeing this exact behavior on my Windows 7 Asus laptop. It always pops up no matter what I do.
This is amazing especially that it still appears after changing the password.
The detection mechanism reads the bootloader and compares it with the internally stored value. The error is displayed when there is a mismatch.
After changing the password, a new bootloader is written so the error should go away.
A possible explanation is that there is something on you Asus PC that always modifies the bootloader...
I happen to have an Asus laptop that is encrypted with VeraCrypt and I didn't have any issue after upgrading to 1.13 (I encrypted the whole disk not just the system partition).
To rule out any possible bug in the detection mechanism, can you please share details about your configuration:
Thank you in advance for your help in understanding this issue.
Many tests on different configurations have been conducted to validate this detection mechanism, that's why I'm puzzled by this.
Hopefull for you, this is just a false positive eventhough I don't see how...
The last option would be to implement a way to extract the bootloader so that it can be checked manually.
Last edit: Mounir IDRASSI 2015-08-19
I have only one disk on my laptop.
There is NO custom preboot message. I encrypted it with the default settings.
I used whole disk encryption
I used SHA256
I used AES
I'm not running any decoy or hidden OS
Another user on this forum may have discovered the original of this false positive: it's FLEXnet Publisher activation software used by Adobe Photoshop, Adobe Acrobat and other software for license management.
You can read my answer here: https://sourceforge.net/p/veracrypt/discussion/general/thread/ebcffd26
Do you confirm that you are using a software that uses FLEXnet activation software?
Here is a quote of my answer:
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
I do not have FLEXnet activation software installed on my computer. I managed to change my password and now the warning message went away.
Thanks.
Since the password change solved your issue, this confirm that something has indeed modified the bootloader. If it is not an external attack nor FLEXnet, it must be some other software component.
Anyway, if your encounted the Evil Maid warning again, you should seriously check what is running on your machine.
I've done some research and have discovered that Asus has it's own specialized package of software called the ATK package. It's put on all Asus computers. It's responsible for things like allowing the Asus-specific function keys to work, sleep and sound functionality, and other aspects of a Asus-specific computer.
Could this be the culprit?
Last edit: Crypto 2015-08-25
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
Look in your services for the FLEXnet Licensing services to ensure they don't exist. There can be two of them, a 32bit and 64bit versions. They do persist, like malware, even after you remove/uninstall the software that required them. The only way I could actually uninstall them was to go into the Windows registry and remove them in there, along with deleting the actual files off the disk. Although just disabling the services could work as well.
I did that. I don't see any FLEXnet services running but yet the problem persists.
Found it! It turns out that Plantronics Spokes support software will re-install FLEXnet upon re-boot if FLEXnet isn't found. Spokes is relly only used with Skype and all it does is make the buttons on my USB headset work. I'd rather be protected against Evil Maiden so I removed Spokes, changes the password, re-booted and everything works fine now.
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
No. I do not have any type of PLantronics spokes. However, I do have Photoship installed therefore I do not know if I have FLEXnet in my system or not. Is there a way I can find out?
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
I have changed my password on numerous of occasion and I still get Evil Maiden notification. So I am not sure if I am under attack or it's just a false postive. Did it solve my problem by changing the password? NO.
If you have Photoshop, then you certainly have FLEXnet on your system. Other users have described have you can check its existence by looking at the services running on your Windows.
Unless you remove or disable FLEXnet, you will always get this Evil Maid warning since FLEXnet actually modifies the bootloader.
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
Why would FLEXnet modify the bootloader?
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
I scanned the registery using regedit and I don't see FLEXnet service there. I checked the service and there's no FLEXnet installed there as well. Strange.
And, oh, my bad: I do not have Photoshop installed.
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
I replied to Mounir but it's not showing up. So I will summarize:
1) I initially thought I had Photoshop installed but nope it's not there.
2) I do not have FLEXnet service installed as I scourged through regedit. Also, FLEXnet service isn't installed via service tab.
3) I do not have any Adobe service installed in my system: not planning to anytime near the future. Adobe is so invasive.
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
I've tried to increase a volume size using the volume expander, but I still don't know how to make it like if it was a new volume, I've tried expanding many and it shows the new increased size but it shows that I'm using part of the new space.
I made a 10MB volume, then expanded it to 35MB and it says that I'm using 9MB, and I didn't even put anything inside before or after expanding it.
Sometimes it says that the empty space is the same as it originally was before expanding it. If I have a 50MB volume with 15MB free, expand it to 100MB and still says I have 15MB free.
Tried filling space with random checked and unchecked and still the same.
I don't know how to make it work properly.
In other topic: Is it normal that Whirlpool volumes take a bit longer to open? It takes a bit more than SHA-512 volumes with same amount of iterations using PIM.
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
Who can tell me if there is a hack software that can be used to make evil maid attack?