Yara getting "lost" during file/process scanning

[mikebbt]

Just a general question, I've read that the Yara library is thread safe but I'm seeing an issue in my implementation. Can't share the code but it is working like this (running on Windows 10 VM):

1. Creating a single Yara scanner which has been set to use the ReversingLabs rule sets
2. A Go program runs and kicks off a Go routine which uses the same scanner instance to start running process scans on a list of processes
3. The main routine moves forward and starts scanning files (with same scanner instance) on the various volumes

At this point most times the process scans finish in about 15-20 minutes but the file scans seem to hang and never complete. Any thoughts on this? I'm testing now with two Yara scanner instances, one for the process Go routine and the other to process files just to get a different perspective.

[hillu]

You are not supposed to use the same Scanner for multiple concurrent ScanFile, ScanMem, ScanProc calls. Generate multiple Scanner objects from the same Rules to do concurrent / parallel scans.

If this hasn't been clear from the documentation, I'd appreciate a hint, preferably as a pull request.

[mikebbt]

I must have missed that in the docs, where is that stated specifically?

[hillu]

In go-yara's documentation, thread-safety is only mentioned in relation to setting variables. The underlying C struct (from YARA) is YR_SCANNER.

[mikebbt]

Thanks for the feedback!