diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index 31eb7d6..d4f49de 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -280,6 +280,11 @@ install_maldet_only() {
     local temp_file="maldetect-latest.tar.gz"
     local best_source=""
 
+    # Clean up any empty/partial files from previous failed attempts
+    if [ -f "$temp_file" ] && [ ! -s "$temp_file" ]; then
+        rm -f "$temp_file"
+    fi
+
     # Download sources in priority order
     # Format: "name|url|label" (using | as delimiter to avoid splitting https://)
     local sources=(
@@ -296,35 +301,50 @@ install_maldet_only() {
 
         echo "  Trying $source_label..."
 
+        # Clean up any previous attempt file before trying
+        rm -f "$temp_file"
+
         # Try download with aggressive timeout
         # --timeout: fail if no progress for this many seconds
         # --read-timeout: fail if no data received for this many seconds
         if wget -q --timeout=30 --read-timeout=10 -O "$temp_file" "$source_url" 2>/dev/null; then
+            # Verify download created a non-empty file (wget creates empty file on failure)
             if [ -f "$temp_file" ] && [ -s "$temp_file" ]; then
-                echo -e "  ${GREEN}✓ Download successful from $source_label${NC}"
+                echo -e "  ${GREEN}✓ Download successful ($(du -h "$temp_file" | cut -f1))${NC}"
                 download_success=true
                 best_source="$source_label"
                 break
+            else
+                # Download command succeeded but file is empty - network/proxy issue
+                rm -f "$temp_file"
+                echo -e "  ${RED}✗ Download created empty file (network/firewall issue)${NC}"
             fi
+        else
+            # wget command failed
             rm -f "$temp_file"
+            echo -e "  ${RED}✗ Download failed${NC}"
         fi
 
         # Also try with curl as fallback
         if [ "$download_success" = false ]; then
+            rm -f "$temp_file"
+
             if curl -f --connect-timeout 10 --max-time 30 -L -o "$temp_file" "$source_url" 2>/dev/null; then
+                # Verify curl created a non-empty file
                 if [ -f "$temp_file" ] && [ -s "$temp_file" ]; then
-                    echo -e "  ${GREEN}✓ Download successful from $source_label${NC}"
+                    echo -e "  ${GREEN}✓ Download successful via curl ($(du -h "$temp_file" | cut -f1))${NC}"
                     download_success=true
                     best_source="$source_label"
                     break
+                else
+                    rm -f "$temp_file"
+                    echo -e "  ${RED}✗ Curl created empty file (network/firewall issue)${NC}"
                 fi
+            else
                 rm -f "$temp_file"
+                echo -e "  ${RED}✗ Curl failed${NC}"
             fi
         fi
-
-        if [ "$download_success" = false ]; then
-            echo -e "  ${RED}✗ Failed or timeout${NC}"
-        fi
     done
 
     echo ""