diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index 29085ae..b565b2f 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -288,9 +288,12 @@ detect_control_panel() {
         CONTROL_PANEL="cpanel"
         export PATH=/usr/local/cpanel/3rdparty/bin/:$PATH
 
-        while IFS= read -r docroot; do
-            [ -n "$docroot" ] && docroot_array+=("$docroot")
-        done < <(cut -d= -f5 /etc/userdatadomains | sed 's/==/=/g' | sort -u)
+        while IFS= read -r line; do
+            # Format: domain: user==owner==main==domain==docroot==...
+            # Extract docroot (field 5, 0-indexed field 4)
+            docroot=$(echo "$line" | awk -F'==' '{print $5}')
+            [ -n "$docroot" ] && [ -d "$docroot" ] && docroot_array+=("$docroot")
+        done < <(cut -d: -f2- /etc/userdatadomains | sort -u)
 
     # Detect Plesk
     elif [ -f "/usr/local/psa/version" ]; then
@@ -364,9 +367,10 @@ get_user_docroots() {
     local user_docroots=()
 
     if [ "$CONTROL_PANEL" = "cpanel" ]; then
-        while IFS= read -r docroot; do
-            [ -n "$docroot" ] && user_docroots+=("$docroot")
-        done < <(grep "^${username}:" /etc/userdatadomains | cut -d= -f5 | sed 's/==/=/g' | sort -u)
+        while IFS= read -r line; do
+            docroot=$(echo "$line" | awk -F'==' '{print $5}')
+            [ -n "$docroot" ] && [ -d "$docroot" ] && user_docroots+=("$docroot")
+        done < <(grep ":.*${username}==" /etc/userdatadomains | cut -d: -f2- | sort -u)
     else
         echo -e "${RED}User-specific scanning only supported on cPanel${NC}"
         return 1