Hi,
Thank you for sharing this finding.
Actually, the incompatibility with FLEXnet is documented in the incompatibilites section, although not in the context of Evil Maid attack:
https://veracrypt.codeplex.com/wikipage?title=Incompatibilities
Basically, FLEXnet write data to the first drive track and thus it modifies the bootloader. VeraCrypt is able to boot nevertheless because we keep a copy of the bootloader at the end of the first track which is not touched by FLEXnet.
As noted in the documentation,
this is not a bug in VeraCrypt but rather an inapropriate design of the FLEXnet software.
Tampering with the bootloader in the case of system encryption is definitely very bad and in this case you can have any garanree about the security of your system.
One can propose to modify VeraCrypt "Evil Maid" detection mechanism to accomodate FLEXnet case and check only the bootload backup part if the boot was done using the backup but this will give attacker a way to bypass the detection mechanism!
That's why the only thing that can be done in VeraCrypt is to add an option to disable the "Evil Maid" attack detection (administrative privileges will be needed).
It is unfortunate that FLEXnet has this bad design because it gives the possibility to attackers to hide bootloader modifications alongside FLEXnet one and go undetected. This is a malware welcoming approach!
