diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index ef69f58..219d237 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -802,8 +802,8 @@ get_domain_docroot() {
     local domain_docroot=""
 
     if [ "$CONTROL_PANEL" = "cpanel" ]; then
-        # Use grep -F for literal matching (safe from regex injection)
-        domain_docroot=$(grep -F "^${domain}:" /etc/userdatadomains | cut -d= -f5 | sed 's/==/=/g')
+        # Use grep with word boundary for safe matching (avoid regex injection)
+        domain_docroot=$(grep "^$(printf '%s\n' "$domain" | sed 's/[[\.*^$/]/\\&/g'):" /etc/userdatadomains | cut -d= -f5 | sed 's/==/=/g')
     elif [ "$CONTROL_PANEL" = "plesk" ]; then
         domain_docroot=$(plesk bin site -i "$domain" 2>/dev/null | grep "WWW-Root" | awk '{print $2}')
     elif [ "$CONTROL_PANEL" = "interworx" ]; then
@@ -1702,8 +1702,8 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do
                 RKH_WARNINGS=0
             fi
 
-            # Extract any rootkits found (FIXED: use -F flag for literal matching consistency)
-            grep -F "Rootkit" "$LOG_DIR/rkhunter.log" 2>/dev/null | grep -iF "found" >> "$INFECTED_LIST" 2>/dev/null || true
+            # Extract any rootkits found (search for rootkit entries with found status)
+            grep "Rootkit" "$LOG_DIR/rkhunter.log" 2>/dev/null | grep -i "found" >> "$INFECTED_LIST" 2>/dev/null || true
 
             SCAN_END=$(date +%s)
             DURATION=$((SCAN_END - SCAN_START))