Fix scan status detection - eliminate false "RUNNING" status

Issue: All completed scans showing as "RUNNING" in status check
User reported 5 scans showing RUNNING when they actually completed
hours ago, with 0 scans showing as COMPLETED despite being done.

Root Cause:
Line 1851 used: `pgrep -f "$dir/scan.sh"`

This pattern matches ANY process with that path in its command line:
- The actual scan.sh process (correct)
- Shell sessions viewing results (false positive)
- Editors/viewers with the file open (false positive)
- grep/tail commands on logs (false positive)
- Any process that touched those files (false positive)

This caused completed scans to always show as "RUNNING" because
there were always SOME processes matching the overly broad pattern.

Evidence from User's Status Check:
  malware-20251222-202658 [RUNNING]
  Latest: "Scan session ended - opening interactive shell"

Scan says "ended" but status shows RUNNING - clear false positive!

Solution - Two-part Fix:

1. Use More Specific Process Match:
   Changed from: pgrep -f "$dir/scan.sh"
   Changed to:   pgrep -f "bash $dir/scan.sh"

   This only matches actual bash execution of the script,
   not viewers, editors, or other processes.

2. Add Marker File for Reliability:
   Create .scan_running marker when scan starts
   Remove .scan_running marker when scan exits (in cleanup trap)

   Status check: pgrep OR marker file = running

   This handles edge cases where process check might fail
   but provides definitive state tracking.

Changes:

1. check_standalone_status() (line 1852):
   - Added "bash " prefix to pgrep pattern
   - Added OR check for .scan_running marker file
   - Both in running detection and delete listing

2. Standalone scan.sh template (lines 655, 607):
   - Create marker: touch "$SCAN_DIR/.scan_running" after start
   - Remove marker: rm -f "$SCAN_DIR/.scan_running" in cleanup_on_exit

3. delete_standalone_sessions() (line 1917):
   - Same pgrep + marker file logic for consistency

Result:
Now completed scans will correctly show [COMPLETED] status
instead of falsely showing [RUNNING] due to viewer processes.

Status detection is now accurate and reliable!

modules/security/malware-scanner.sh

@@ -603,6 +603,9 @@ cleanup_on_exit() {
     local exit_code=$?
     echo ""
 
+    # Remove running marker file
+    rm -f "$SCAN_DIR/.scan_running"
+
     # Only log if session log exists
     if [ -f "$SESSION_LOG" ]; then
         log_message "Cleanup triggered (exit code: $exit_code)"
@@ -651,6 +654,9 @@ echo ""
 
 log_message "Scan session started"
 
+# Create marker file to indicate scan is running
+touch "$SCAN_DIR/.scan_running"
+
 # Detect available scanners
 AVAILABLE_SCANNERS=()
 
@@ -1847,8 +1853,9 @@ check_standalone_status() {
     for dir in "${standalone_dirs[@]}"; do
         local session_name=$(basename "$dir")
 
-        # Check if still running
+        # Check if still running by looking for bash process executing scan.sh
-        if pgrep -f "$dir/scan.sh" > /dev/null 2>&1; then
+        # Use pgrep with exact match to avoid false positives from viewers/editors
+        if pgrep -f "bash $dir/scan.sh" > /dev/null 2>&1 || [ -f "$dir/.scan_running" ]; then
             echo -e "  ${GREEN}●${NC} $session_name [RUNNING]"
             ((running_count++))
 
@@ -1913,7 +1920,7 @@ delete_standalone_sessions() {
         local session_name=$(basename "$dir")
         local status="completed"
 
-        if pgrep -f "$dir/scan.sh" > /dev/null 2>&1; then
+        if pgrep -f "bash $dir/scan.sh" > /dev/null 2>&1 || [ -f "$dir/.scan_running" ]; then
             status="${GREEN}running${NC}"
         fi