This project has moved. For the latest updates, please go here.

Evil Maid attack message

Topics: Technical Issues
Nov 29, 2016 at 3:15 PM
I keep getting the "…bootloader fingerprint failed…"Evil Maid" attack…" message on boot. It only happens after I've traveled and logged onto the internet through a hotel wi-fi connection, and it always happens when I do. When I get home I use the rescue disk to restore the boot loader and key data, and that eliminates it. Most recently, the only internet access I made use of was to upload some modifications to my own web site, and check e-mail with Microsoft Outlook.

Details are:
  1. Sony Vaio notebook.
  2. Windows 10 Pro, Version 1607 (64 bit)
  3. All software legit and properly licensed.
  4. Full disk encryption, no hidden OS
  5. Fully up-to-date Norton Security
  6. VeraCrypt 1.19 (64 bit)
I'm confident this is a false positive, and this is irritating.
Nov 30, 2016 at 11:40 AM
There have been a bug, which should be fixed in 1.19 final. And there are also some evil software protections like autocad has. Please read this topic:

Could that be your case? Whate licenced software(s) are you using?
Dec 3, 2016 at 1:30 PM
I am using 1.19 final, which I stated in #6 above.

I ran a full system scan in Norton Security--nothing. Then I used the repair disk to restore the boot loader and the key data, which eliminated the Evil Maid attack message. Then I reran a full system scan in Norton Security--nothing.

So the problem was eliminated, and then I installed VMware's virtual machine, and the problem came back. I didn't go outside my firewall, I didn't use that machine to go on the internet or anything. This is clearly a false positive.
Dec 5, 2016 at 11:21 AM
I wrote that to inform you, it does not mean there could not be another bug ;-)

From what you are writing, it looks like vmware tampers with boot sector too (it means it places there some of its stuff like autocad does), which of course veracrypt detects and that's correct. I cannot confirm, because I don't have licence for vm ware, I use virtualbox, which does what it should (emulate virtual machine and does not write to boot sector).

Please state exact product name and version of vmware you are using, maybe someone will be able to reproduce/confirm. VMware has like ton of products, but from your topic it should emulate virtual machine, not write anything into boot sector, which it probably does. Maybe another evil software protection. That's why I trashed autocad and bought something else.
Dec 6, 2016 at 4:10 PM
I'm using VMware Player 6.0.3 build-1895310. VMware does not require you to purchase a license as long as you do not use it for commercial purposes. I have not purchased a license because I only use it to test my web page html and css code on old versions of Internet Explorer, which I have installed on Windows XP virtual machines, and on Safari, which I have installed on a Macintosh OS X virtual machine. You should be able to download it and install it for debugging purposes without violating their license agreement.

Don't forget, this wasn't just a VMware issue. It occurred repeatedly when I logged onto the internet over a hotel Wifi connection.

Also, one more piece of data: when I boot up the VeraCrypt rescue disk, selecting Repair Option 2 (Restore VeraCrypt Boot Loader) isn't enough to fix the problem. I must also do option 3, Restore key data (volume header).