What is .tmp.node? What is the purpose?

[l9sk]

Everytime I start brave, these files always appears on my tmp folder, I open a few tab, it also appear another .tmp.node file.

I thought this file is cryptomining, but I realise this was create by brave. could someone explain?

[UFLrob]

I second l9sk's questions.

What Brave feature and I disable to prevent Brave from needing the .tmp.node file? Many cannot use Brave in the Enterprise due to malware restrictions preventing an unsigned file (like .tmp.node) from being executed.

[bsclifton]

@l9sk @UFLrob do you have more information? What platform are you on? Where are you seeing this?

I'm definitely not aware of anything which would have this behavior

[UFLrob]

Brave creates a ...temp.node file in the %temp% folder and I was wondering what that file is and what it is used for. The reason I’m asking is that, like many Malware-adverse organizations, my office is switching to a policy of restricting the executables (and DLLs) that Windows will execute to a trusted list. It an effort to allow usage of Brave, I’ve allowed all software signed with the “Brave Software, Inc.” certificate, as I also did for Google and Firefox, but for Brave that did not work. When I remove these protections from my machine and checked the logs, I found that Brave executes a %temp%\%GUID%.TMP.Node file (as shown in the screenshot below), which is not signed. This file also changes, so I am unable to create a Hash rule to allow just this file. [cid:image003.png@01D3E0B4.E6B1BF60] Some organizations that are restricting software, the way we are trying to but in a less-strict manner, would be able to work around even the above problems, allowing all files in the same folder to be executed, but since this file is in the %temp% folder, even this is unlikely to be allowed. I was hoping that you could do one of the following: 1. Sign the .tmp.node file 2. Change the way the .tmp.node file is called so that Windows doesn’t think it’s being executed. 3. Separate the usage so that the data part and the executable part are in different files, with the executable part not changing or being signed. 4. Move the file so that it isn’t in the %temp% folder (while this will not help me, it will likely help others) 5. Let me know, if perhaps there were a feature (in brave) that I could disable that would remove the usage of this file Alternatively, we’re allowing all signed Windows Modern Apps, so perhaps that would be a work around. Thanks, Rob From: Brian Clifton <notifications@github.com> Sent: Wednesday, April 25, 2018 2:17 AM To: brave/browser-laptop <browser-laptop@noreply.github.com> Subject: Re: [brave/browser-laptop] What is .tmp.node? What is the purpose? (#12534) @l9sk<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_l9sk&d=DwMCaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=rKFnbjqlrdHXCibjgIJz5A&m=eqmAMmVsUBj3219VQUnaBiK9QV1wQC76m_xbRjOWlug&s=DEKuEujfSyUN62rVjDcXxZSXYWZQKU6a5p9CFp6IyI8&e=> @UFLrob<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_UFLrob&d=DwMCaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=rKFnbjqlrdHXCibjgIJz5A&m=eqmAMmVsUBj3219VQUnaBiK9QV1wQC76m_xbRjOWlug&s=Oo5wXIXFxDR5m-J3ZDbr7qpxE3BhOqTp3W0XH8Fz-mA&e=> do you have more information? What platform are you on? Where are you seeing this? I'm definitely not aware of anything which would have this behavior — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_brave_browser-2Dlaptop_issues_12534-23issuecomment-2D384172501&d=DwMCaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=rKFnbjqlrdHXCibjgIJz5A&m=eqmAMmVsUBj3219VQUnaBiK9QV1wQC76m_xbRjOWlug&s=nYEzck6v6PgdPmlqWYwIqI8RzV2evBKdScl35VUCQ-o&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_Ac2GwuommBCGgOLTRXmW4qVawikg5j68ks5tsBT3gaJpZM4RVOlV&d=DwMCaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=rKFnbjqlrdHXCibjgIJz5A&m=eqmAMmVsUBj3219VQUnaBiK9QV1wQC76m_xbRjOWlug&s=h4TvwN9F_LnwGZmEsdynUTPR_mDpDgSkmxY-_LRovKM&e=>.

[sdkester]

When you spawn a child process from a file within an asar container, Windows copies it to a temp folder to be executed because it can't run it from within the container.

In our case, the electron-builder smartUnpack function was detecting things like the ssh2 module and correctly putting it in /resources/app.asar.unpacked/, but not sqlite3. On each run, the executable file was copied out of the asar and put into %appdata%/Local/Temp as <guid>.tmp.node.

I suspect that it was undetected because the file extension was .node, not a more common executable like .exe or .dll.

In our case, adding "asarUnpack": "**\\*.node", to the electron-builder configuration adds the sqlite3 module to the unpacked folder and the temp file is no longer created on each run.

[UFLrob]

What I’ve seen is that there is a file called “%appdata%/Local/Temp/<guid>.tmp.node” that must be created (by Brave at startup) and must execute for Brave to start properly. Are you saying that you’re adding an “asarUnpack” line to future Brave builds to prevent the .node file from being created and executed? If so, that would be perfect. If your saying that the file is simply going to be moved from the TEMP folder but will still be dropped and executed, then some of us would also need that file signed with a Cert be able to allow that execution in my environment. Thanks, Rob From: Shaun Kester <notifications@github.com> Sent: Thursday, July 12, 2018 2:09 PM To: brave/browser-laptop <browser-laptop@noreply.github.com> Subject: Re: [brave/browser-laptop] What is .tmp.node? What is the purpose? (#12534) When you spawn a child process from a file within an asar container, Windows copies it to a temp folder to be executed because it can't run it from within the container. In our case, the electron-builder smartUnpack function was detecting things like the ssh2 module and correctly putting it in /resources/app.asar.unpacked/, but not sqlite3. On each run, the executable file was copied out of the asar and put into %appdata%/Local/Temp as <guid>.tmp.node. I suspect that it was undetected because the file extension was .node, not a more common executable like .exe or .dll. In our case, adding "asarUnpack": "**\\*.node", to the electron-builder configuration adds the sqlite3 module to the unpacked folder and the temp file is no longer created on each run. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_brave_browser-2Dlaptop_issues_12534-23issuecomment-2D404600897&d=DwMFaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=rKFnbjqlrdHXCibjgIJz5A&m=SGCZ3krEvN7D0w3PCafP79aOSONNdkXuin5nLiZBNdk&s=VfxHjZFbPkVJF-m0YGiJwtrIJFFVy2_-8mKa7Kc4aNA&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_Ac2GwlbwT-5F2-2DRxWXqTpwrX0b-5Fd9MuV4Jks5uF5CkgaJpZM4RVOlV&d=DwMFaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=rKFnbjqlrdHXCibjgIJz5A&m=SGCZ3krEvN7D0w3PCafP79aOSONNdkXuin5nLiZBNdk&s=gbHIqi3N7XfSJ42xQMnr64loCkjCXh7uH8YusoAgMOo&e=>.

[sdkester]

@UFLrob I was sharing my discovery from our project with the Brave team to help them identify a possible cause in their project.

@bsclifton I've confirmed that in Windows 10 Pro v1803, Brave v0.23.31 is creating a temp file at %appdata%/Local/Temp as <guid>.tmp.node on each run.

The source of that temp file appears to be the file /app.asar/node_modules/leveldown/build/Release/leveldown.node. I think if you find that you exclude that file from the asar container via your electron-build settings, that this issue will be resolved.

[bsclifton]

Closing as it seems a good amount of investigation has been done (thanks!) and we now know why the temp file is being created. We use level/leveldown for Brave Payments