Weird problems encountered when using Veracrypt
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hi everyone, today when I opened VeraCrypt I found that VeraCrypt immediately asked me for administrator privileges (im using Windows), my VeraCrypt display language was changed to English (I was using other languages before), and at the same time, my "Never save history" was unchecked by default, which is different from before. Does anyone know if this is normal?
Not normal regarding setting changes to the VeraCrypt application.
The administrator privileges could be the result of the Microsoft patches released yesterday.
Try rebooting your PC after the MS patching?
Do other people have access to your PC?
What version of VeraCrypt?
If you are not using VeraCrypt system encryption, try reinstalling VeraCrypt using the same version you are using now. Then reboot PC.
Thank you for your reply. I am using VeraCrypt 1.26.7. No one else can physically access my computer. After reinstalling VeraCrypt, it seems to have returned to normal, but I am still very concerned.
Hi Obsidium,
Expanding on Enigma2Illusion's question of someone else having access to your PC, unless you can think of an explanation based on specific knowledge of your system and recent activities, you have a couple of red flags to suggest that someone with physical access MAY have tampered with your system. The sudden change of language, and importantly the change to history collection should be concerning. Even if your VeraCrypt configuration file had been inadvertently deleted (which could explain the language change), "Never save history" is the default setting that would be active. It's better to be paranoid than compromised. Someone may want to collect your VeraCrypt file usage history located here (automatically deleted when you re-check the "Never" option):
C:\Users\<username>\AppData\Roaming\VeraCrypt\History.xmlIf you still can't think of any explanation for these changes, look for signs of a keylogger intended to capture the passwords for any files in your history. You can also check the "Use Secure Desktop for password entry" option in the VeraCrypt preferences dialog, which blocks data collection of many keyloggers.
Last edit: Gary Marks 2024-08-15
Thank you for your reply. My computer is almost untouched by anyone; it is protected by multiple surveillance cameras. I have checked again to confirm that no one has accessed it, and I found that there hasn't been any access. This concerns me greatly. Should I immediately delete these encrypted volumes and recreate them? I have noticed that when modifying passwords, the keyboard input behaves differently compared to when creating them. Specifically, the passwords entered during modification can be recorded by keylogging software. This is troubling. I have security software installed on my computer (Kaspersky Premium), and it indicates that there are no threats. What should I do?
Last edit: Obsidium 2024-08-15
I am not familiar with Kaspersky software, however they should have a way to perform an offline scan of the PC.
Is your PC using an SSD and did you have a power surge that impacted the PC?
In the past, I was home when a power surge impacted the SSD in my laptop that changed my Windows screen resolution and display brightness. Possibly changed other settings, OS and data files corrupted. I restored from an offline image backup taken using Macrium Reflect of my system drive since there was a probably various OS and data files that were corrupted.
If you cannot find the reason for the settings change, I would consider this PC compromised. Not sure if PC is hardware, software or both compromised.
Hardware compromised means secure erase PC if possible and discard.
Software compromised means secure erase, reinstall PC BIOS, Windows OS and applications. Do not copy any data since it may have the malware.
If you are a high value target, then it is possible that the malware has compromised the hardware to survive a secure erase, BIOS and Windows OS install. Consider the PC hardware compromised.
Last edit: Enigma2Illusion 2024-08-15
Thanks for your reply. My PC does use SSD, and there has been no power surge. I just checked the surveillance video during this period, and it is likely that no one except me has touched this computer. I used Kaspersky to scan and it showed no threats. I think I probably need to wipe my PC, which is a challenge for me, as this PC contains important data.
Before wiping your system and rebuilding it, I'd suggest making a full system backup with a program like Macrium Reflect. One of the features I especially like with Macrium is that any partition within the backup image (made using the "Intelligent Sector" option) can be temporarily mounted to a free drive letter on your new system, making all of the data and configuration files it contains immediately available on your new system via the assigned drive letter and any file manager. This can greatly ease the migration to a new system while minimizing your exposure to any malware on the old system. Once mounted, you can copy your old data piecemeal or en masse, and you can even open and review a document while it exists only in the image file. And as a "point in time" snapshot of your old system, you can continue looking for signs of malware within the system. Here's a site where you can download the most recent free version of Macrium Reflect...
https://www.majorgeeks.com/files/details/macrium_reflect_free_edition.html
You can also go to the Macrium website to buy a premium version that includes an option for internal encryption of images and a few other goodies, but I use the free version which has no time limit, and I save my images to an encrypted partition. One of these days I'll probably buy it just to support the great work Macrium has done. It's that good.
@garymarks
Given he is not able to explain the multiple changes to the VeraCrypt settings nor Windows admin permission prompt, leaves me with the assumption of malware/virus has infected his PC by getting past his Kaspersky software.
Since we do not know how or what files caused the infection nor if the infection spread to other data files and software installation programs, how will using a mounted Reflect backup to copy data prevent reinfection of malware/virus since he was previously using Kaspersky software?
PS: I am not opposed to the backup. I do not understand your recommendation to copy from the Reflect image that will prevent reinfection.
Last edit: Enigma2Illusion 2024-08-15
Enigma2Illusion,
As you point out, my suggestion clearly doesn't eliminate all possibility of reinfection, but it reduces it and fits within what appears to be the chosen path, namely a fresh system without new hardware. Obsidium will be the final arbiter of how extensive and expensive the recovery actions need to be, based on risk tolerance and knowledge that may be too sensitive to disclose. I don't mean to impart any false sense of security, only somewhat greater. Pair that with heightened awareness and vigilance, and it might be enough. Or not.
@obsidium1
If you have a local external drive, perform the Reflect backup output to the external drive.
You probably will need to whitelist Reflect in the Kaspersky software.
https://knowledgebase.macrium.com/display/KNOW80/Kaspersky+anti-virus+conflict+with+Macrium+Reflect
If you have another computer that can be sacrificed, install Reflect and Kaspersky software. Then connect the external drive to the other computer, mount the backup with Reflect and use Kaspersky setting high for scanning the entire Reflect mounted backup file.
Last edit: Enigma2Illusion 2024-08-15
Thanks for the reply, that sounds like a good idea, I will do that
After Kaspersky setting of high for scanning the Reflect mounted backup file hopefully finds no threats, mount each VeraCrypt volume and using Kaspersky setting of high for scanning to see if any infection is located within each of your VeraCrypt volumes.
Last edit: Enigma2Illusion 2024-08-16
Thank you for replying, is it necessary for the backup file? Can I directly use Kaspersky to scan this PC that may be attacked?
Another access point for malware/virus is your router.
If your router has the ability, enable the router to scan for malware/virus both incoming and outgoing.
Usually you can Google search for your router's specific brand and model for securing your network.
Thank you Mr. Enigma2. My router does not have the ability to scan traffic, but my router has a white list. Any device connected to this router must be authorized by me. Is this safe?
That will help to prevent unknown devices from using your network.
Of course, if your network password and router admin password are secure (long & complex) will prevent someone from connecting to your network unless there is an exploit to the router than can bypass the security.
It will not help if your PC gets infected.