This project has moved and is read-only. For the latest updates, please go here.

Worried. Should I be concerned about this "EVIL MAID ATTACK" message?

Topics: Technical Issues
Apr 15, 2016 at 4:16 AM
Dear VC admin, Enigma2Illusion and other VC users,

I installed VC 1.17 on a brand new computer with Windows 7. I wanted to create a Hidden OS and first I created an Outer Volume, after that VC created the Hidden System within the Outer Volume. After 3 hrs the hidden system was created and I entered the Hidden OS password and PIM and it booted back into Windows. Then this message appeared on the screen regarding an EVIL MAID ATTACK.

"Warning: The verificationof VC bootloader fingerprint failed. Your disk may have been tampered with by an attacker ("Evil Maid" attack).

This warning can also be triggered if you restored VC bootlader using a Rescue Disk generated using a different VC version.

You are advised to change your password immediately which will also restore the correct VC bootloader. It is recommended to reinstall VC and to take measure to avoid access to this machine by untrusted entities."

Just a few notes:

1) The computer system is brand new, e.g. CPU, motherboard, keyboard etc. A computer shop assembled it for me and I installed a licenced copy of Windows 7 onto it myself. It has only been connected to the internet for a few hours through a router, just to install the latest Windows update and to activate Windows.

2) I am not sure if my system is compromised or not, or if the copy of VC I downloaded is compromised. I checked and the VC version is 1.17 and the Digital Signature is OK, signed by IDRIX on Feb 14, 2016, Sunday 3:59:22 pm

3) I checked some info already and it says a Evil Maid message can be a false positive if some 3rd party softwares installed on the computer use Flexnet, or are Adobe related. The only 3rd party software that I installed are a paid licensed antivirus software, but I am not sure if it uses Flexnet or not. I searched my computer with the words "Flexnet" and "Adobe" and no file name related to them come up at all.

Question: I am a bit worried here as I have been using Truecrypt for a long time and I never saw such "EVIL MAID" message comes up. This is the 1st time I use VC. Do I have to be concerned about my system being truly compromised by Evil Maid attack or is this a common false positive? I searched the forum with the key words "Evil Maid" and I am surprised that only 2- 3 related posts came up. I thought it might be a common thing (the false positive) and a lot of users should have similar experience and thus raise the same concern, but this issue seems not as common as I think.

After creating the Hidden System, VC asked me to delete the original system and then install Win 7 as a decoy system, but I pressed "Defer", not knowing whether I should still proceed as I am not sure if my system is truly compromised by an EVIL MAID ATTACK.

Please provide some assitance/info. Thanks in advance.
Apr 15, 2016 at 9:44 AM
I don't know, what caused this, but if I remeber correctly, truecrypt was not able to detect changes in the bootloader. Maybe you are being under surveillance and they may have patched some unsigned exe you downloaded from internet with a virus, which compromised your bootloader. Police can do this, ISP can do this, hacked router too. It can also be a false positive.

Do everything again, disable windows updates and check if you will get the same message. Are you really installing windows from offical media and you have licenced copy? Popular windows cracking tool "windows loader" tampers with the boot loader...
Apr 15, 2016 at 11:59 AM
DO NOT DISABLE updates, but don't allow them to run automatically either.

These days we are at the peril of some manufacturers, can anyone say Lenovo? .... they also add risk to your machine be running code at pre-boot level, telling Windows to do things. This probably isn't the case here.

It is most likely a false positive.

Some programs write to particular areas as a copyright theft protection; it isn't limited to he programs listed. This is painful, but it might be the reason. Windows may do a boot repair and damage the VC area too.

Of course, running Windows itself is dangerous enough, but you really need the security updates at the very least if you do so.
Apr 15, 2016 at 1:13 PM
Edited Apr 15, 2016 at 1:14 PM
@vda_mike:
False positives of Evil Maid Attack detection are rare and, as you found it out, they are caused by bad licensing software (like FlexNET/Adobe) that write licensing information in the boot sectors, thus tampering with VeraCrypt bootloader.

Definitely, something in your machine is modifying VeraCrypt bootloader, being it a licensing software or other components. To check if it is a one-time tampering or a persistent tampering, you should boot on VeraCrypt Rescue Disk and choose the Repair menu and then select the option to restore VeraCrypt Bootloader.

Does the Evil Maid message never come back after you restore VeraCrypt bootloader using the Rescue Disk?

If yes, then the first thing to do is to change your pre-boot passwords but if I were you I will not use this machine for sensitive things unless I discover the origin of VeraCrypt bootloader tampering: this could be caused by bad software like FlexNET or it can be more sinister like a BIOS based Rootkit.

Another question: do you have the Evil Maid message only on the hidden OS or also on the original system? Logically, you should have the message on both.

@affinity is right: some motherboards may inject code at pre-boot level and there behavior is not distinguishable from Rootkits. The Evil Maid detection mechanism in VeraCrypt can help detect such cases but it is not enough in itself. That why it is important to choose the hardware used on sensitive machines very carefully.
Apr 18, 2016 at 9:45 PM
Edited Apr 18, 2016 at 9:46 PM
Thanks for all the replies so far.

To answer Testoslav, I am not doing anything illegal and I don't think there is a reason that I am under any kind of surveillance :)

And yes, the Windows 7 that I installed is an official licensed copy.
Apr 18, 2016 at 9:50 PM
Edited Apr 18, 2016 at 9:52 PM
Hi Idrassi,

Thanks for your reply.
To check if it is a one-time tampering or a persistent tampering, you should boot on VeraCrypt Rescue Disk and choose the Repair menu and then select the option to restore VeraCrypt Bootloader.

Does the Evil Maid message never come back after you restore VeraCrypt bootloader using the Rescue Disk?
Not sure if there is a misunderstanding because I was trying to create a hidden OS and I was NOT even at the step of creating the Rescue Disk yet. I am only midway through because I encountered the EVIL MAID message just after the creation of the Hidden OS. That step will come later when I create the Decoy OS but at the moment I just finish creating the Hidden OS and I have NO Rescue Disk yet.

To re-iterate, the following were what I did.

1) Bought a brand new computer and the computer shop assembled it for me. Everything including the CPU, harddrive, motherboard, keyboard, router etc are all new.

2) I installed an official licenced Windows 7 copy onto the harddrive myself. Then I installed a paid licensed copy of antivirus software onto Windows. Then connected the system through the new router to the internet for 3 hrs, just to do the routine Windows updates and activation.

3) Then, I installed VC and tried to create a hidden OS. The timeline was something like this ==>> At 8am I first created the Outer System, and it took 1 hr and the process finished at 9am. After that I set a hidden OS password and the creation of hidden OS started at 9am and finished at 12pm. After the creation of hidden OS, the screen asked me to enter the hidden OS password and it booted back into Windows the 1st time. Once booting back into Windows, that "EVIL MAID ATTACK" came up the 1st time. If you see the timeline here you can see that the VC bootloader has just been created and during the process no one other than me have physical access to the computer, and the computer was not connected during the internet.

So when the VC bootloader was newly created after the creation of the hidden OS and the system booted back into the Windows the 1st time, the EVIL MAID message came up.
Apr 18, 2016 at 9:53 PM
From Idrassi,
Another question: do you have the Evil Maid message only on the hidden OS or also on the original system? Logically, you should have the message on both.
Now, whenever I booted into the hidden OS, the EVIL MAID message comes up. However, in the screen when it asks for a hidden OS password, there is an option [ESC][Boot Non-Hidden System](Boot Manager) and when I pressed ESC, the system booted back into the original system, the Evil Maid mesage DID NOT come up. There was only a VC message telling me that the HIDDEN OS has been successfully created but is not ready to be used. It says I should go back into the hidden OS and have VC deletes the original system and after that I should reinstall Windows to create the DECOY OS and the whole process is done.

So, to answer your question, NO the Evil Maid message DOES NOT appear in both the hidden OS and original system. Just the HIDDEN OS.
Apr 18, 2016 at 9:55 PM
Hi Idrassi,

Not sure if you agree, but I think the following are the possibilities:

1) It's just a false positive. But what cause such a false positive? I searched the computer and also looked through the "Services" tab, and I couldn't see anything related to "Flexnet" or "Adobe" in them. Do I look for words like "Flexnet" and "Adobe" specifically, or do I have to look for something else as well? The only 3rd party licensing software on my computer is the Antivirus software.

2) The false positive is caused by a certain brand of motherboard/BIOS. Do you have such info? Or the BIOS was compromised during the Windows updates when the computer was connected to the internet. But it should be very unlikely.

3) Something else was compromised on my system and so the bootloader was compromised. But it's a brand new computer and the only one who have phyical access to it is me and so far it was only connected to the internet during the Windows update stage.
Apr 18, 2016 at 10:00 PM
Idrassi wrote:
but if I were you I will not use this machine for sensitive things unless I discover the origin of VeraCrypt bootloader tampering: this could be caused by bad software like FlexNET or it can be more sinister like a BIOS based Rootkit.
It's a new system and the whole system will go wasted if I don't use it for sensitive/business related stuffs (which I don't really want it to go wasted), but I agree with you about the "unlelss I disover the origin of VeraCyrpt bootloader tampering".

That's why I want to dig deep to see if it's just a false positive and if yes, what is causing it (e.g Flexnet? But I didn't find any files related to it through a search of my computer already).

If you can provide some useful hints/directions here I would appreciate. I just want to make sure if such EVIL MAID message is just a false positive or if my system is really compromised. But if it compromised, how could it be? The Evil Maid message came up immediately after the creation of hidden OS. So, does it mean that once the VC bootloader was 1st created and the system booted back into Windows the 1st time, something immediately changed the VC bootloader (that has just been newly created) in an EVIL way?

FYI, I searched some old posts and this person seems to have similar experience as me. He saw the EVIL MAID message came up the 1st time also at the point immediately after the HIDDEN OS was created. Our patterns were similar and perhaps you are interested to take a look to see if it's VC related, or if it's something else.

https://sourceforge.net/p/veracrypt/discussion/technical/thread/62eb6cac/

Thanks.
Apr 21, 2016 at 8:25 PM
Edited Apr 21, 2016 at 8:27 PM
Hi,

Sorry for the late answer. Not easy to keep up with all posts and developement at the same time.

I asked about using the Rescue Disk to restore the VeraCrypt bootloader but you said that this doesn't apply which is wrong: since you already performed the encryption of the outer system, you definitely have the Rescue Disk.
So, can you please use the Rescue Disk that was created in order to restore VeraCrypt bootloader and see if this solve the problem? This is the only way to see if the bootloader tampering happens only once or everytime.

As for for using cascade algorithm or not as it is mentioned in the documentation , this doesn't change anything here: the detection mechanism will always trigger a message of the bootloader is modified. The documentation talks about the case where you can't boot at all because of FlexNET tampering the bootloader that uses cascades encryption.
Apr 22, 2016 at 4:22 PM
Edited Apr 22, 2016 at 4:23 PM
affinity wrote:
DO NOT DISABLE updates, but don't allow them to run automatically either.
Of course it is important to use up to date software, but if there is some suspicion, like you are under surveillance, have hacked router, or whatever (and that case surely is dubious), disabling updates is very important, because the third party can inject their evil code into whatever coming from internet to his pc. Disabling updates was meant only for the purpose of the testing after clean install. The original windows media is clean, so he can clean install and obtain verarypt from other source (downloaded by third pardy onto a third party flash drive). But if there's hacked bios, clean install won't help.

btw. @vda_mike I was just asking, if that's ideed the silver media from MS, wasn't implying anything ;-) You never know if you are under surveillance, in fact, we all are, and they even tamper our data, censoring and redirecting dns, etc... so why not patch veracrypt? All VC users are under suspicion, because they encrypt, privacy is not a trendy thing.
Apr 25, 2016 at 5:57 PM
Testoslav wrote: "Disabling updates was meant only for the purpose of the testing after clean install. The original windows media is clean, so he can clean install and obtain verarypt from other source (downloaded by third pardy onto a third party flash drive). But if there's hacked bios, clean install won't help."

Hi Testoslav,

Yes, I know what you meant. I am still thinking about the source of the Evil Maid message. I am confused as the whole system is new. If I can't think of any possible source, I think what I will do is to get a new hard drive and install Windows 7 on it, and this time WITHOUT the updates and the paid licensced AntiVirus software. So, it's just a fresh install without any 3rd party softwares and without Windows 7 ever connecting to the internet. Then I will install VC from the CD media that I saved it on. Then I will go through the whole process of creating a hidden OS and see if the Evil Maid message still comes up.

And if the Evil Maid message still comes up, then does it mean that the hardware is compromised, most likely the motherboard (or its BIOS)? Or it can still be a false positive because of a certain brand of motherboard? Very confused here as all the hardware is new and don't see how the motherboard, BIOS etc got compromised.

Just how often do people encountered such Evil Maid message which is a false positive? Any other users have similar experience?

Thanks.
Apr 25, 2016 at 6:02 PM
idrassi wrote:
Hi,

Sorry for the late answer. Not easy to keep up with all posts and developement at the same time.

I asked about using the Rescue Disk to restore the VeraCrypt bootloader but you said that this doesn't apply which is wrong: since you already performed the encryption of the outer system, you definitely have the Rescue Disk.
So, can you please use the Rescue Disk that was created in order to restore VeraCrypt bootloader and see if this solve the problem? This is the only way to see if the bootloader tampering happens only once or everytime.
Hi Idrassi,

Thanks for your reply. I am a bit confused about the sequence of creating the Rescue Disk. I was not being prompted by VC to create a Rescue Disk yet and so I don't have any at the moment. Am I doing anything wrong?

I have been using Truecrypt for a few years and this is the 1st time I used VC. I created a few hidden OSs using TC and so I am familiar with the steps, and TC (and this time VC) always only prompted me to create the RESCUE DISK just before encypting the Decoy OS . The following was what ALWAYS HAPPEN in my case.

1) Create Outer System.
2) After creating the Outer System, TC/VC prompted me to create the Hidden OS.
3) After creating the Hidden OS, TC/VC prompted me to delete the original Windows 7.
4) After deleting the original Windows 7, I installed a new copy of Windows 7 as the decoy OS and installed VC on it again. Then VC will ask me to create the Rescue Disk JUST BEFORE encrypting the DECOY OS. This is the MOMENT that I created the RESCUE DISK.


I am CURRENTLY at STEP 3 above and so far I pressed "DEFER" to postpone the deletion of the original system as I saw that EVIL MAID message.

TC/VC never prompted me to create the RESCUE DISK just after creating the OUTER SYSTEM, but in your reply above, you said since I already created/encypted the Outer System, I definitely have the Rescue Disk, but actually I don't have it because I was not yet at the step (i.e. STEP 4 above) where VC prompted me to create the Rescue Disk.

Idrassi, I am confused here. And I doing anything wrong here? At the moment I can't restore the VC bootloader as you suggested because I don't have the Rescue Disk.

Thanks.
Apr 25, 2016 at 6:17 PM
Edited Apr 25, 2016 at 6:20 PM
I'm not going to get in to much detail here, but if you are somehow a target, then the following can be true:
  • hardware was intercepted before you got it and adjustments (hardware or software [BIOS?] or both)
The hardware may be using facility in the BIOS to pass files / data to Windows to allow Windows to be able to drive a component or something else. It is possible for modern BIOS to provide Windows with code to run, by implanting it to known locations that Windows checks to run whilst starting Windows. Now, that kind of implant by the BIOS shouldn't be possible if the OS area is fully encrypted -- so it may, I don't know really, do something with the boot loader for this reason or for other reasons.

Really, one of the biggest problems today is being able to trust your hardware, even before you install any kind of software in a fresh manner. It may, in some circumstances, be better to buy older hardware that is less likely to cause grief with drivers as well as possible new "implants / vulnerabilities" provided by the manufacturer or at some point after manufacture before you receive it. Cisco routers had implanted "extras", Juniper routers had compromised code, Huawei routers were remotely exploitable -- granted these are routers, but that doesn't mean there aren't exploit / vulnerability options available for different hardware. OTOH, newer hardware gives some possibilities to be more secure, such as post iPhone 5c models with secure enclave, but we aren't talking about phones here.

Edit: sorry, should have proof read before posting.... some corrections made.
Apr 28, 2016 at 6:17 PM
Edited Apr 28, 2016 at 6:20 PM
affinity wrote:
OTOH, newer hardware gives some possibilities to be more secure, such as post iPhone 5c models with secure enclave, but we aren't talking about phones here.
Oh come on, do you really believe that closed source ios made in usa is really more secure? You are safe maybe from thieves, but not from government.

You are right, that today's bioses are big enough for the linux kernel with extras, so if they can get their hands on the hw (when ordered via internet and paid by card, etc), they can run their own system even before you start installing. So I don't think newer hardware is more secure, intel management engine is another threat.

Who knows, maybe chinese are planting backdoors, usa know about some of them and use them to spy on citizens, and chinese use holes to spy on the US government :-)
Apr 28, 2016 at 7:05 PM
Edited Apr 28, 2016 at 7:06 PM
Trust Apple? Not really.

Apple is an excellent marketing company, they don't admit to faults and there are all sorts of other reasons not to trust them; being in the US is just one reason.

The CVE numbers for 2015 had Apple product at number 1 and number 2, usually reserved for Adobe Flash Player....
  1. OS X
  2. iOS
  3. Adobe Flash Player
  4. Adobe Air SDK
  5. Adobe Air
  6. Adobe Air SDK & Compiler
  7. Internet Explorer (exploder)
  8. Chrome
  9. Firefox
Surprisingly Java way down in the list, but JAVA really stands for "Just Another Vulnerability Announcement" ;-)

( 29. ) JRE (Oracle)
( 30. ) JDK (Oracle)

So, yeah, we are kidding ourselves if we want to trust the likes of Micro$oft and crApple.....,
May 2, 2016 at 1:53 PM
Edited May 2, 2016 at 1:53 PM
Hi Idrassi,
I am experimenting with VeraCrypt Hidden Operating System.
I have problems ,just like Mike on a Toshiba portege R700 with new 500gb SSD.

Stating with fresh install of windows 10
1) Create Outer System.
2) After creating the Outer System, VC prompted me to create the Hidden partition .
3) After creating the Hidden partition, VC prompted me to move the OS to the Hidden partition
4) After the OS is in the Hidden partition VC , I reboot and I saw that EVIL MAID message
(I was not being prompted by VC to create a Rescue Disk yet)
5) After wipping the original Windows 10, I installed a new copy of Windows 10 as the decoy OS
6) I installed VC on it again and at this step VC ask me to create the Rescue Disk.
(I used AES 256 in all cases)

PROBLEMS :
I enter my decoy OS password and the decoy OS works fine
I enter my hidden OS and I got "Incorrect password" message. ( I don't really care for data , I am just experimenting)
When I am in the decoy OS I can mount the hidden OS and see all my hidden files

With many experimenting I discover that
a) When I boot from the Rescue Disk then I can normaly use my hidden OS password and run my hidden OS normaly.(No Evil Maid message)
b) When I boot from the SSD and I use my hidden OS password then I got the "Incorrect password" message.
May 9, 2016 at 7:53 PM
Hi bestgps,

Did you solve the problem or verify anything about the Evil Maid message, i.e. to try to create the Hidden OS all over again to see if the same Evil Maid message comes up? So far I am idle as I was busy in the last 2 weeks. So far I am at your Step 4, as I stopped proceeding immeidately once I saw that Evil Maid Message. So far I haven't come up with a solution as I am not sure what went wrong and not sure if my system is truly being compromised or if it's just a false positive. So, I haven't use my new system at all since I bought it.

What I want to do is knowing the correct steps to make sure that the system is not compromised, and the procedue to verify and make sure that the Evil Maid message is just a false positive.

Best Wishes.
May 9, 2016 at 8:07 PM
Hi vda_mike
I am 99% sure that we have a bug here with Evil Maid message.
Your hidden system starts without problem ?
My hidden system starts ONLY when I boot from the Rescue Disk

(I format everything and made a simple encrypted system)
May 10, 2016 at 10:16 AM
May 24, 2016 at 9:02 AM
Hi bestgps,

Thanks for your response. My reply is a bit late as I am very busy.

You asked me if my hidden system started without a problem or not. Yes, it starts without a problem, but the Evil Maid message came up everytime I started Windows 7 (the hidden system), and so I stopped at your step 4, which means I didn't start wiping the original Windows and so far I still haven't installed the decoy OS yet. I just set aside my new PC at the moment.

You said you formatted everything and "made a simple encrypted system". Do you mean you just installed Windows 10 onto the formatted hard drive again, with no Hidden System? In this case, did you see the Evil Maid message comes up even for once after you encrypted the whole Windows 10 OS (the whole partition which Windows 10 is installed on). Do you experience any issue ever since?

It seems that you are pretty sure that the Evil Maid message on your system is a false positive. In June I will have more time and will try to figure out what happened to my system and see if that Evil Maid message is a false postive or not (any suggestions from you or other VC users about the steps to test if indeed that Evil Maid message is a false postive, is welcome).

Thanks.
May 24, 2016 at 9:06 AM
Hi SDXC,

Thanks for your link and I've read the article. It seems that the majority of the article has to deal with tamparing with the PC and harddrive's boot sector or firmware after they are out of the factories (like infecting the PC/hardrive with USBs or CDs and thus the Evil Maid), but in my case I am the only one having access to the computer and I am sure no other people have phyical access or network access to it. The only time I connected the PC to a network/internet was the time I did the official Windows update for 3 hrs. It's a pretty standard procedue and again I don't think I have done anything special/illegal that made me a specific target.

Any chance that you think the Evil Maid message can be just a false positive and do you have any pointers as to what I have to check in order to see if it's just a false postive or not?

Thanks.
Oct 6, 2016 at 11:18 PM
Hi all,

Thanks to @vda_mike here and the other thread (https://veracrypt.codeplex.com/discussions/658026), I was able to found a bug in the Evil-Maid detection that was triggered in some special cases which include the creation process of hidden OS.

I have fixed this bug and I was able to test @vda_mike scenario and validate that there is no more false-positive detection.

I will publish tomorrow a beta for 1.19 that will include this fix so that you can validate on your side. FYI, I'm busy finalizing 1.19 that will include fixes and modifications related to the ongoing audit alongside performance enhancements for Serpent algorithm.

Sorry for not catching this bug earlier in my test configurations.
Oct 8, 2016 at 6:02 AM
Hi Mounir,

I am very thankful for your reply. Really appreicate that you are taking time out of your busy schedule to take a look at the issues.

In your above reply, you mentioned that "I was able to found a bug in the Evil-Maid detection that was triggered in some special cases which include the creation process of hidden OS".

Would you please provide some brief details about the causes that triggered the false positives of Evil Maid detections in such cases?

In 3 of my cases testing on 3 different computers, I did not install any 3rd party softwares or Windows drivers or even drivers of the motherboard and so they were just fresh installations of Windows 7 together with VC1.17 or VC1.18 and so I believe I have eliminated the possibilities of false positives caused by FLEXnet Publisher/SafeCast. In all 3 cases of creating the Hidden OS I think my procedure is pretty straightforward and standard and I believe I didn't do anything out of the norms. I test different configurations and indeed when I just encrypted the whole Windows 7 partition without creating Hidden OS, such Evil Maid messages did not appear. Only when creatng a Hidden OS will trigger an Evil Maid warning.

A reply from you is very much appreicated as I believe other users might be interested in knowing about the information that you will provide.

Merci Beaucoup. Thanks.
Oct 8, 2016 at 11:16 PM
Hi Mike,

The detection of Evil-Maid attacks is performed by calculating the hash of the MBR boot sector + the bootloader stored on disk and then compare the result with the hash of the MBR boot sector + bootloader embedded in the program resources.

The MBR boot sector consists of 512 bytes but we only hash the "static" part of these bytes since some of them can changed (for example, if the user chooses to display a custom message at Pre-Boot, its 24 characters will be stored in a range in the boot sector and so this range is excluded from the hash computation).

Unfortunately, one byte in the MBR boot sector was mistakenly considered as "static" whereas its value changes: it is the byte at offset 439. This byte's value changes during the hidden OS creation process since we set a flag in it to help VeraCrypt determine the state of the hidden OS creation process. That's why the Evil-Maid attack detection was triggered during the first boot of the hidden OS and it disappears after the decoy OS is encrypted.
Also this byte's value is different between Windows XP and Windows Vista and above, so if the decoy OS is Windows 7 for example and the hidden OS is Windows XP, the false-positive detection of Evil-Maid will be triggered in Windows XP hidden OS.

I hope this clarifies the issue.

By the way, I was planning to publish a beta today containing the fix but I'm still waiting for Microsoft to sign the new VeraCrypt driver (mandatory for the latest Windows 10 versions). Normally, the process is quick but this time it is unusually long...I will let you know when I receive the signed drivers.
Oct 13, 2016 at 11:08 PM
I finally received the signed driver for 1.19-BETA3 from Microsoft and so I published the new Windows installer at https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/
If you can validate that indeed it solves the false-positive detection of Evil-Maid attack, that would be great.

The official 1.19 should come in 1 or 2 days.
Nov 3, 2016 at 9:00 AM
Hi Mounir,

Just to provide an update about the issue. The Evil Maid false positve issue is gone in my latest test. Thanks.

And just in case any other VC users still experience the same Evil Maid detection issue with the latest version of VC, please provide your feedbacks.

Again thanks Mounir for following up on the issue and your effort and dedication in the VC project is very much appreciated by all VC users. Keep up the good work.
Nov 10, 2016 at 2:35 PM
Edited Nov 11, 2016 at 10:18 AM
Hi, glad to see this fixed. So I tried to reproduce the error on V1.19 and evil maid appeared again, but it is apparently not a problem of veracrypt. Made a clean win 10 64 install, without updates, did a few restarts, everything was OK. So I tried to install old autocad lt 2007 again and run in trial mode. Then I rebooted and evil maid appeared. I have not even activated autocad, just installed and run it. So that is probably not the maid who is evil in here. Autocad is! That is one piece of crap, which I'm not going to support. I don't like their rent-only licensing policy lately, so I will try proge cad which is way cheaper anyway and if it will not cripple my system, I will probably make a switch.

edit: tried to change password to overwrite boot loader, restarted few times and everything was ok until I launched autocad again. After restart evil maid appeared. No doubt it is evil autocad. I have tested with progeCAD and it behaves fine, at least in trial version.

edit2: I know 2007 is very old version, so I have tried autocad 2017 trial and it does trigger the evil maid message too (in trial mode), so I will probably go with progeCAD, which is veracrypt (and of course autocad) compatible.