From a5093ccace41d7533cbb41a400daeec66b807134 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Wed, 12 Nov 2025 18:40:30 -0500
Subject: [PATCH] Fix malware scanner: entire server scope, screen persistence,
 selective cleanup

Three critical fixes to improve malware scanner usability:

1. Entire Server Scan Scope (line 1132):
   - Changed from scanning only cPanel docroots to scanning entire filesystem
   - scan_paths=("/") instead of scan_paths=("${sanitized_docroot[@]}")
   - Updated display message: "Scan scope: Entire server from /"
   - Fixes issue where "Entire server" option only scanned user directories

2. Screen Session Persistence (line 917):
   - Added 'exec bash' at end of scan script to keep screen session alive
   - User now has time to review summary and answer cleanup prompt
   - Screen won't auto-close when script finishes
   - Provides option to open interactive shell or detach (Ctrl+A then D)
   - Fixes premature session termination issue

3. Selective Cleanup (lines 883-899):
   - Changed cleanup to only delete scan.sh script
   - Logs and results are always preserved at /opt/malware-*/
   - New prompt: "Delete scan script? (Logs and results will be preserved)"
   - Only removes scan.sh when user answers "yes"
   - User can manually delete entire directory if needed: rm -rf $SCAN_DIR
   - Moved RKHunter cleanup before user prompt (lines 870-880)

Benefits:
- Full server scanning actually scans from / root
- User can review results before screen closes
- Scan scripts are cleaned up for security
- Logs/results preserved for later review
- No accidental data loss
---
 modules/security/malware-scanner.sh | 73 ++++++++++++++++-------------
 1 file changed, 40 insertions(+), 33 deletions(-)

diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index dae5983..80fac77 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -867,47 +867,54 @@ echo ""
 echo "=========================================="
 echo ""
 
-# Prompt for cleanup
-read -p "Delete scan directory and all results? (yes/no): " cleanup_choice
-
-if [ "$cleanup_choice" = "yes" ]; then
-    log_message "User requested cleanup - deleting scan directory"
-    echo ""
-    echo "Removing scan directory..."
-    cd /
-    rm -rf "$SCAN_DIR"
-    echo -e "${GREEN}✓ Scan directory deleted${NC}"
-    echo ""
-    echo "This screen session will now close."
-    sleep 2
-else
-    log_message "User chose to keep results"
-    echo ""
-    echo "Results preserved at: $SCAN_DIR"
-    echo ""
-    echo "You can:"
-    echo "  • Review logs: ls $LOG_DIR"
-    echo "  • View summary: cat $SUMMARY_FILE"
-    echo "  • Delete manually: rm -rf $SCAN_DIR"
-    echo ""
-    echo "Press Ctrl+A then D to detach from this screen session"
-    echo ""
-fi
-
 # Cleanup: Remove rkhunter if it was temporarily installed
 if [ "$RKHUNTER_TEMP_INSTALLED" = "true" ]; then
     log_message "Removing temporarily installed RKHunter..."
-    echo ""
     echo "→ Cleaning up: Removing Rootkit Hunter..."
-
     if command -v yum &>/dev/null; then
         yum remove -y rkhunter &>/dev/null
         echo "  ✓ RKHunter removed"
         log_message "RKHunter successfully removed"
     fi
+    echo ""
 fi
 
-log_message "Scan session ended"
+# Prompt for cleanup
+read -p "Delete scan script? (Logs and results will be preserved) (yes/no): " cleanup_choice
+
+if [ "$cleanup_choice" = "yes" ]; then
+    log_message "User requested cleanup - deleting scan script"
+    echo ""
+    echo "Removing scan script..."
+    rm -f "$SCAN_DIR/scan.sh"
+    echo -e "${GREEN}✓ Scan script deleted${NC}"
+    echo ""
+    echo "Results preserved at: $SCAN_DIR"
+    echo ""
+else
+    log_message "User chose to keep scan script"
+    echo ""
+    echo "Scan script and results preserved at: $SCAN_DIR"
+    echo ""
+fi
+
+echo "You can:"
+echo "  • Review logs: ls $LOG_DIR"
+echo "  • View summary: cat $SUMMARY_FILE"
+echo "  • Delete scan directory manually: rm -rf $SCAN_DIR"
+echo ""
+echo "Press Ctrl+A then D to detach from this screen session,"
+echo "or press Enter to open an interactive shell in this session..."
+echo ""
+read -t 30 -p ""
+
+# Keep screen session alive with an interactive shell
+echo ""
+echo "Opening interactive shell. Type 'exit' to close this screen session."
+echo ""
+
+log_message "Scan session ended - opening interactive shell"
+exec bash
 STANDALONE_EOF
 
     # Replace placeholder with actual paths
@@ -1129,17 +1136,17 @@ launch_standalone_scanner_menu() {
     case $scope_choice in
         1)
             # Entire server
-            scan_paths=("${sanitized_docroot[@]}")
+            scan_paths=("/")
             scan_description="full server scan"
 
             if [ ${#scan_paths[@]} -eq 0 ]; then
-                echo -e "${RED}No docroots found!${NC}"
+                echo -e "${RED}No scan paths found!${NC}"
                 read -p "Press Enter to continue..."
                 return 1
             fi
 
             echo ""
-            echo "Scan paths: ${#scan_paths[@]} docroots"
+            echo "Scan scope: Entire server from /"
             ;;
 
         2)