diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index a0e7707..7fd66fe 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -1265,8 +1265,8 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do
             # Extract warnings
             RKH_WARNINGS=$(grep -c "Warning:" "$LOG_DIR/rkhunter.log" 2>/dev/null || echo 0)
 
-            # Extract any rootkits found
-            grep "Rootkit" "$LOG_DIR/rkhunter.log" | grep -i "found" >> "$INFECTED_LIST" 2>/dev/null
+            # Extract any rootkits found (FIXED: use -F flag for literal matching consistency)
+            grep -F "Rootkit" "$LOG_DIR/rkhunter.log" 2>/dev/null | grep -iF "found" >> "$INFECTED_LIST" 2>/dev/null || true
 
             SCAN_END=$(date +%s)
             DURATION=$((SCAN_END - SCAN_START))
@@ -1354,8 +1354,8 @@ done
                 # InterWorx: Search /home/*/var/*/logs/transfer.log (VERIFIED: uses 'transfer.log')
                 # Search last 7 days of logs for POST requests to this path
                 find /home/*/var/*/logs -type f -name 'transfer.log' 2>/dev/null | while read -r logfile; do
-                    # Check if this log corresponds to the domain/user
-                    grep -h "POST.*${filepath}" "$logfile" 2>/dev/null | tail -20 | while read -r logline; do
+                    # Check if this log corresponds to the domain/user (FIXED: safe literal matching to avoid regex injection)
+                    grep -hF "POST " "$logfile" 2>/dev/null | grep "${filepath}" | tail -20 | while read -r logline; do
                         # Extract IP from Apache log line
                         ip=$(awk '{print $1}' <<< "$logline")
                         if [ -n "$ip" ] && [[ "$ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
@@ -1372,8 +1372,8 @@ done
                 # Plesk: Search /var/www/vhosts/*/logs/access*log
                 # Plesk stores logs in /var/www/vhosts/domain.com/logs/access_log or access_ssl_log
                 find /var/www/vhosts/*/logs -type f \( -name 'access_log' -o -name 'access_ssl_log' \) 2>/dev/null | while read -r logfile; do
-                    # Check if this log corresponds to the domain/user
-                    grep -h "POST.*${filepath}" "$logfile" 2>/dev/null | tail -20 | while read -r logline; do
+                    # Check if this log corresponds to the domain/user (FIXED: safe literal matching to avoid regex injection)
+                    grep -hF "POST " "$logfile" 2>/dev/null | grep "${filepath}" | tail -20 | while read -r logline; do
                         # Extract IP from Apache log line
                         ip=$(awk '{print $1}' <<< "$logline")
                         if [ -n "$ip" ] && [[ "$ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
@@ -1391,8 +1391,8 @@ done
                 # cPanel stores logs as domain.com, domain.net, etc. in /var/log/apache2/domlogs/
                 if [ -n "$SYS_LOG_DIR" ] && [ -d "$SYS_LOG_DIR" ]; then
                     find "$SYS_LOG_DIR" -type f \( -name '*.com' -o -name '*.net' -o -name '*.org' -o -name '*.info' -o -name '*.biz' \) 2>/dev/null | while read -r logfile; do
-                        # Check if this log corresponds to the domain/user
-                        grep -h "POST.*${filepath}" "$logfile" 2>/dev/null | tail -20 | while read -r logline; do
+                        # Check if this log corresponds to the domain/user (FIXED: safe literal matching to avoid regex injection)
+                        grep -hF "POST " "$logfile" 2>/dev/null | grep "${filepath}" | tail -20 | while read -r logline; do
                             # Extract IP from Apache log line
                             ip=$(awk '{print $1}' <<< "$logline")
                             if [ -n "$ip" ] && [[ "$ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
@@ -1728,8 +1728,8 @@ STANDALONE_EOF
 
     sleep 1
 
-    # Verify screen started
-    if screen -list | grep -q "$session_id"; then
+    # Verify screen started (FIXED: use -F flag for literal matching)
+    if screen -list | grep -qF "$session_id"; then
         echo ""
         echo -e "${GREEN}✓ Standalone scanner started successfully!${NC}"
         echo ""
@@ -1938,9 +1938,10 @@ launch_standalone_scanner_menu() {
                 return 1
             fi
 
-            # Get user's docroots
+            # Get user's docroots (FIXED: more specific path matching to avoid false matches like 'test' matching 'username_test')
             for docroot in "${sanitized_docroot[@]}"; do
-                if [[ "$docroot" == *"/$SELECTED_USER/"* ]]; then
+                # Match patterns: /home/username/ or /var/www/vhosts/username/ or /chroot/home/username/
+                if [[ "$docroot" == */home/$SELECTED_USER/* ]] || [[ "$docroot" == */vhosts/$SELECTED_USER/* ]] || [[ "$docroot" == */chroot/home/$SELECTED_USER/* ]]; then
                     scan_paths+=("$docroot")
                 fi
             done
@@ -1966,9 +1967,10 @@ launch_standalone_scanner_menu() {
                 return 1
             fi
 
-            # Find docroot for domain
+            # Find docroot for domain (FIXED: more specific matching to distinguish 'example' from 'example-prod' or 'prefix_example')
             for docroot in "${sanitized_docroot[@]}"; do
-                if [[ "$docroot" == *"/$domain"* ]] || [[ "$docroot" == *"/$domain/"* ]]; then
+                # Match patterns: domain.com/html or domain.com/public_html or /domain.com/httpdocs
+                if [[ "$docroot" == *"/$domain/"* ]] || [[ "$docroot" == *"/$domain"* ]]; then
                     scan_paths+=("$docroot")
                 fi
             done