diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index 5f7e6cd..a485dc2 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -603,6 +603,9 @@ cleanup_on_exit() {
     local exit_code=$?
     echo ""
 
+    # Remove running marker file
+    rm -f "$SCAN_DIR/.scan_running"
+
     # Only log if session log exists
     if [ -f "$SESSION_LOG" ]; then
         log_message "Cleanup triggered (exit code: $exit_code)"
@@ -651,6 +654,9 @@ echo ""
 
 log_message "Scan session started"
 
+# Create marker file to indicate scan is running
+touch "$SCAN_DIR/.scan_running"
+
 # Detect available scanners
 AVAILABLE_SCANNERS=()
 
@@ -1847,8 +1853,9 @@ check_standalone_status() {
     for dir in "${standalone_dirs[@]}"; do
         local session_name=$(basename "$dir")
 
-        # Check if still running
-        if pgrep -f "$dir/scan.sh" > /dev/null 2>&1; then
+        # Check if still running by looking for bash process executing scan.sh
+        # Use pgrep with exact match to avoid false positives from viewers/editors
+        if pgrep -f "bash $dir/scan.sh" > /dev/null 2>&1 || [ -f "$dir/.scan_running" ]; then
             echo -e "  ${GREEN}●${NC} $session_name [RUNNING]"
             ((running_count++))
 
@@ -1913,7 +1920,7 @@ delete_standalone_sessions() {
         local session_name=$(basename "$dir")
         local status="completed"
 
-        if pgrep -f "$dir/scan.sh" > /dev/null 2>&1; then
+        if pgrep -f "bash $dir/scan.sh" > /dev/null 2>&1 || [ -f "$dir/.scan_running" ]; then
             status="${GREEN}running${NC}"
         fi