Brave Accessing memory of explorer.exe process and Windows Photo Library


We turned on Ransomware detection in one of our other tools and it noticed that the Brave Browser is accessing other processes on the system. Specifically, it is accessing the process for Explorer.exe and is accessing graphic files in the Windows Photo Library. I have to explain why this is happening to keep using Brave at work. Please let me know why Brave needs to access processes of other processes like Explorer, etc. Of note, no other browser (Edge, Chrome, Firefox) does this.

Thank you!

1 Like

This happens when Brave is just sitting there doing nothing, or when the browser is being used by someone?

OP What browser version and Windows (presumably)version?

@Mattches can you comment please?
If true this seems possibly quite worrying, from a privacy perspective, but I am hopeful there is a simple explanation…

To answer both questions,

  1. Probably when being used, but not sure. We use our browsers continuously.
  2. Brave (latest version - keep it up-to-date).
  3. Windows 10 Enterprise 1909

Thank you for reaching out. Can you please tell me what tool(s) you’re using to detect this?

The tool that found this is CyberArk. Shows the activity as potential ransomware, though I know it isn’t. I work in cybersecurity and none of our other tools alert for it. We have exceptions in place for Edge and Chrome, but only a few of us use Brave so it was just recently noticed. Once I get Brave approved to use, we may make an exception for it as well so it won’t alert. But anyway, the tool seeing it is CyberArk. Thanks!

Thank you for the information. Looking into this now — appreciate your patience.

explorer.exe is the base of Windows OS. Without it nothing runs. It is expected that ANY software makes use of it or is used by it.
In what extent, no one knows. But, Brave has some times of high processing, thus it is expected that explorer.exe is highly in use during these periods.

Hi folks - @gjones67 can you please share a screenshot of what shows for you in CyberArk? Genuinely curious what it’s showing

explorer.exe can be used for shell calls - like when launching a process, etc. One example of this is the Chromium code having a wrapper in base/process/launch.h. The updater might be using it too - specifically when looking at the user and determining if they have access to do an update. I saw some calls related to system tray too.

But there shouldn’t be anything related to Photos. The only thing I can think about would be if you have a photo open in Brave (since it can load and open pictures, etc). If you did that, Windows would put a lock on the file and maybe this is what is showing in CyberArk. The same thing would happen if you put a TXT file in that folder and opened it in Notepad.

Please let us know- thanks!

1 Like

I’ll reach out to one of the folks that admin CyberArk and see if I can get a screen cap of what Brave is accessing.

1 Like

In addition to the above, I wonder if it might also make calls that get flagged if someone, for example, gets a filesystem browse dialogue for uploading or downloading of files.

Once we figure this out, I suspect we’ll find that other browsers are doing the same but are whitelisted or tuned out someplace.

@JimB1 good call (RE: other browsers being whitelisted). That is likely the case - a quick test would be to rename brave.exe to chrome.exe and see if it triggers anything. One area I’ve seen complaints has been with regard to anti-cheat game software. Those have allow lists for running processes which allow chrome.exe but don’t have Brave added in there (yet)

1 Like

The above conversation and input has given us enough information. We are adding Brave to the exceptions list like Chrome and Edge. Thank you all for the help!


This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.