fix(yara): Address ADS scanning leftovers

rabbitstack · rabbitstack · commit 8ee3ee784b8d · 2026-03-05T22:13:15.000+01:00
After moving from NTFS parser to
overlapped I/O, the code for scanning the ADS content were not
adapted accordingly.
diff --git a/pkg/yara/scanner.go b/pkg/yara/scanner.go
@@ -262,8 +262,7 @@ func (s scanner) Scan(e *event.Event) (bool, error) {
 		if err != nil {
 			return false, nil
 		}
-		if n > 0 {
-			data = data[:n]
+		if len(data) > 0 {
 			log.Debugf("scanning ADS %s. pid: %d", filename, e.PID)
 			matches, err = s.scan(data)
 			streamScans.Add(1)
