Fix: Address 6 critical and high priority issues in malware scanner

CRITICAL FIXES:
- Add directory restoration trap in maldet install (prevents PWD corruption)

HIGH PRIORITY FIXES:
- security-tools.sh: Make maldet detection consistent with other scanners
- security-tools.sh: Improve ClamAV freshclam detection (add cPanel paths)
- security-tools.sh: Add timeout protection to getenforce and aa-status
- malware-scanner.sh: Integrate memory monitoring into ClamAV scan loop
- malware-scanner.sh: Initialize memory_check_count for periodic checks

SECURITY & RELIABILITY IMPROVEMENTS:
- Prevents directory corruption in install functions
- Better maldet detection across different installation paths
- Timeout protection prevents script hangs on misconfigured systems
- Periodic memory checks during long scans prevent OOM conditions

All changes verified with syntax check. MALDET_ONLY flag already correctly implemented.

lib/security-tools.sh

@@ -17,10 +17,21 @@ readonly _SECURITY_TOOLS_LOADED=1
 #############################################################################
 
 derive_malware_scanners() {
-    # ClamAV detection and paths
+    # ClamAV detection and paths - Check multiple locations for freshclam
     if command -v clamscan &>/dev/null; then
         export SYS_SCANNER_CLAMAV="$(command -v clamscan)"
-        export SYS_SCANNER_CLAMUPDATE="$(command -v freshclam 2>/dev/null || echo '')"
+
+        # Find freshclam in priority order: command, cPanel path, standard paths
+        local freshclam_bin=""
+        if command -v freshclam &>/dev/null; then
+            freshclam_bin="$(command -v freshclam)"
+        elif [ -f "/usr/local/cpanel/3rdparty/bin/freshclam" ]; then
+            freshclam_bin="/usr/local/cpanel/3rdparty/bin/freshclam"
+        elif [ -f "/usr/bin/freshclam" ] || [ -f "/usr/sbin/freshclam" ]; then
+            freshclam_bin=$(find /usr -name freshclam -type f 2>/dev/null | head -1)
+        fi
+
+        export SYS_SCANNER_CLAMUPDATE="$freshclam_bin"
         export SYS_SCANNER_CLAMSCAN="clamscan"
         export SYS_SCANNER_CLAMAV_DB="/var/lib/clamav"
         export SYS_SCANNER_CLAMAV_LOG="/var/log/clamav/scan.log"
@@ -32,8 +43,13 @@ derive_malware_scanners() {
         export SYS_SCANNER_CLAMAV_LOG=""
     fi
 
-    # Maldet (Linux Malware Detect)
+    # Maldet (Linux Malware Detect) - Check command -v first, then standard paths
-    if [ -f "/usr/local/maldetect/maldet" ]; then
+    if command -v maldet &>/dev/null; then
+        export SYS_SCANNER_MALDET="$(command -v maldet)"
+        export SYS_SCANNER_MALDET_DIR="$(dirname "$(command -v maldet)")"
+        export SYS_SCANNER_MALDET_QUARANTINE="${SYS_SCANNER_MALDET_DIR}/quarantine"
+        export SYS_SCANNER_MALDET_LOG="/var/log/maldet.log"
+    elif [ -f "/usr/local/maldetect/maldet" ]; then
         export SYS_SCANNER_MALDET="/usr/local/maldetect/maldet"
         export SYS_SCANNER_MALDET_DIR="/usr/local/maldetect"
         export SYS_SCANNER_MALDET_QUARANTINE="/usr/local/maldetect/quarantine"
@@ -149,10 +165,10 @@ derive_system_security_tools() {
         export SYS_MODSECURITY_AUDIT_LOG=""
     fi
 
-    # SELinux
+    # SELinux - Use timeout to prevent hangs on misconfigured systems
     if command -v getenforce &>/dev/null; then
         export SYS_SELINUX_ENABLED="1"
-        export SYS_SELINUX_STATUS="$(getenforce 2>/dev/null)"
+        export SYS_SELINUX_STATUS="$(timeout 5 getenforce 2>/dev/null || echo "unknown")"
         export SYS_SELINUX_CONFIG="/etc/selinux/config"
     else
         export SYS_SELINUX_ENABLED=""
@@ -160,10 +176,15 @@ derive_system_security_tools() {
         export SYS_SELINUX_CONFIG=""
     fi
 
-    # AppArmor
+    # AppArmor - Use timeout to prevent hangs
     if command -v aa-status &>/dev/null; then
         export SYS_APPARMOR_ENABLED="1"
+        # aa-status can hang on some systems, use timeout
+        if timeout 5 aa-status &>/dev/null; then
             export SYS_APPARMOR_CONFIG="/etc/apparmor"
+        else
+            export SYS_APPARMOR_CONFIG=""
+        fi
     else
         export SYS_APPARMOR_ENABLED=""
         export SYS_APPARMOR_CONFIG=""

modules/security/malware-scanner.sh

@@ -364,6 +364,10 @@ install_maldet_only() {
     echo "Checking available versions..."
     echo ""
 
+    # Save original directory and restore on exit
+    local original_dir="$PWD"
+    trap "cd '$original_dir' 2>/dev/null || true" RETURN
+
     cd /tmp || return 1
 
     # Try to download from sources in order with aggressive timeout handling
@@ -1965,6 +1969,7 @@ for scanner in "${available_scanners[@]}"; do
             last_size=0
             last_filename=""
             stall_counter=0
+            memory_check_count=0
 
             while kill -0 "$CLAM_PID" 2>/dev/null; do
                 # Get current log size and file count from log
@@ -2001,6 +2006,16 @@ for scanner in "${available_scanners[@]}"; do
                     last_size=$current_size
                 fi
 
+                # Check memory every 5 seconds (25 * 0.2s) to prevent OOM
+                if [ $((++memory_check_count)) -ge 25 ]; then
+                    if ! check_memory_during_scan; then
+                        log_message "CRITICAL: Out of memory during scan - stopping"
+                        kill "$CLAM_PID" 2>/dev/null || true
+                        break
+                    fi
+                    memory_check_count=0
+                fi
+
                 sleep 0.2
             done