From e26d23bf5b199498d030d67294b967db29f9673e Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Thu, 5 Mar 2026 18:42:31 +0100
Subject: [PATCH] fix(yara):  Address ADS scanning leftovers

After moving from NTFS parser to
overlapped I/O, the code for scanning the ADS content were not
adapted accordingly.
---
 pkg/yara/scanner.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pkg/yara/scanner.go b/pkg/yara/scanner.go
index 746a27c3a..7d2273018 100644
--- a/pkg/yara/scanner.go
+++ b/pkg/yara/scanner.go
@@ -262,8 +262,7 @@ func (s scanner) Scan(e *event.Event) (bool, error) {
 		if err != nil {
 			return false, nil
 		}
-		if n > 0 {
-			data = data[:n]
+		if len(data) > 0 {
 			log.Debugf("scanning ADS %s. pid: %d", filename, e.PID)
 			matches, err = s.scan(data)
 			streamScans.Add(1)