Fix ImunifyAV output parsing in malware scanner

Changes:
- Fixed incorrect scan result retrieval (was getting oldest scan instead of newest)
- Changed tail -1 to tail -n +2 | head -1 (skip header, get most recent scan)
- Fixed field number from 0 to 1 (TOTAL files scanned)
- Extract TOTAL_MALICIOUS from scan result directly (field 12)
- Added number validation to ImunifyAV, ClamAV, and Maldet parsers
- Now correctly reports realistic file counts (e.g., 3997 files in 69s, not millions)

Tested:
✓ ImunifyAV parsing verified with actual output
✓ Syntax check passed

Bug reference: BUG_014 in REFDB_FORMAT.txt

REFDB_FORMAT.txt

@@ -2,14 +2,14 @@
 # SERVER TOOLKIT - CLAUDE AI CONTEXT DATABASE
 ################################################################################
 # OPTIMIZED FOR: Claude Code AI parsing and context loading
-# LAST UPDATED: 2025-11-07
+# LAST UPDATED: 2025-11-12
 # VERSION: 2.1.0
 # FORMAT: Structured key-value with hierarchical sections
 ################################################################################
 
 [META]
 version: 2.1.0
-updated: 2025-11-07
+updated: 2025-11-12
 status: production_ready
 base_path: /root/server-toolkit
 entry_point: launcher.sh
@@ -353,6 +353,21 @@ options:
   0: Return to menu (cancel)
 
 [RECENT_COMMITS]
+# Latest changes (2025-11-12)
+
+commit: d5eb8c7
+  date: 2025-11-12
+  title: Fix ImunifyAV output parsing in malware scanner
+  files: modules/security/malware-scanner.sh
+  changes:
+    - Fixed incorrect scan result retrieval (was getting oldest scan instead of newest)
+    - Changed tail -1 to tail -n +2 | head -1 (skip header, get most recent scan)
+    - Extract TOTAL_MALICIOUS from scan result directly (field 12)
+    - Added number validation to ImunifyAV, ClamAV, and Maldet parsers
+    - Now correctly reports realistic file counts (e.g., 3997 files in 69s, not millions)
+  testing: Verified with actual ImunifyAV output - parsing works correctly
+  bug_ref: BUG_014
+
 # Latest changes (2025-11-10)
 
 commit: 172a115
@@ -417,6 +432,15 @@ push: git push origin main
 [BUGS_FIXED_HISTORY]
 # Historical bug fixes - DO NOT REINTRODUCE
 
+BUG_014: ImunifyAV scan results parsing incorrect
+  issue: Used tail -1 to get "last scan" but ImunifyAV lists newest first, so was getting oldest scan
+  issue: Was reading wrong/stale scan results showing unrealistic file counts
+  fix: Changed to tail -n +2 | head -1 (skip header, get first data line = newest scan)
+  fix: Extract TOTAL_MALICIOUS (field 12) directly from scan result instead of separate query
+  fix: Added validation to ensure parsed values are numbers
+  location: modules/security/malware-scanner.sh:673-692
+  tested: 2025-11-12 - Correctly shows 3997 files in 69s (not millions in seconds)
+
 BUG_013: Brace redirection blocks variable assignment
   fix: Use exec file descriptor manipulation instead of { } >/dev/null
   location: lib/system-detect.sh:439-445

modules/security/malware-scanner.sh

@@ -670,15 +670,26 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do
 
                     imunify-antivirus malware on-demand start --path="$path" &>> "$LOG_DIR/imunify.log"
 
-                    # Get scan results from last scan
+                    # Get scan results from most recent scan (newest scans are at top)
-                    LAST_SCAN=$(imunify-antivirus malware on-demand list 2>/dev/null | tail -1)
+                    # Skip header line (tail -n +2), then get first data line (head -1)
-                    FILES_SCANNED=$(echo "$LAST_SCAN" | awk '{print $10}')
+                    # Field 11 is TOTAL (files scanned)
+                    LAST_SCAN=$(imunify-antivirus malware on-demand list 2>/dev/null | tail -n +2 | head -1)
+                    FILES_SCANNED=$(echo "$LAST_SCAN" | awk '{print $11}')
+                    # Verify we got a valid number, otherwise show 0
+                    if ! [[ "$FILES_SCANNED" =~ ^[0-9]+$ ]]; then
+                        FILES_SCANNED=0
+                    fi
                     echo "  ✓ Scanned $FILES_SCANNED files"
                 fi
             done
 
             # Extract malicious file count
-            IMUNIFY_INFECTED=$(imunify-antivirus malware malicious list 2>/dev/null | grep -c "malicious" || echo 0)
+            # Skip header line and count data rows, or use TOTAL_MALICIOUS from most recent scan
+            IMUNIFY_INFECTED=$(echo "$LAST_SCAN" | awk '{print $12}')
+            # Verify we got a valid number, otherwise try malicious list
+            if ! [[ "$IMUNIFY_INFECTED" =~ ^[0-9]+$ ]]; then
+                IMUNIFY_INFECTED=$(imunify-antivirus malware malicious list 2>/dev/null | tail -n +2 | wc -l || echo 0)
+            fi
 
             SCAN_END=$(date +%s)
             DURATION=$((SCAN_END - SCAN_START))
@@ -709,6 +720,11 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do
             FILES_SCANNED=$(grep "Scanned files:" "$LOG_DIR/clamav.log" | tail -1 | awk '{print $3}')
             CLAM_INFECTED=$(grep -c "FOUND" "$LOG_DIR/clamav.log" 2>/dev/null || echo 0)
 
+            # Validate numbers
+            if ! [[ "$FILES_SCANNED" =~ ^[0-9]+$ ]]; then
+                FILES_SCANNED=0
+            fi
+
             SCAN_END=$(date +%s)
             DURATION=$((SCAN_END - SCAN_START))
             echo "  ✓ Scanned $FILES_SCANNED files"
@@ -738,6 +754,14 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do
             FILES_SCANNED=$(grep "files scanned" "$LOG_DIR/maldet.log" | tail -1 | awk '{print $1}')
             MALDET_HITS=$(grep "malware hits" "$LOG_DIR/maldet.log" | tail -1 | awk '{print $1}')
 
+            # Validate numbers
+            if ! [[ "$FILES_SCANNED" =~ ^[0-9]+$ ]]; then
+                FILES_SCANNED=0
+            fi
+            if ! [[ "$MALDET_HITS" =~ ^[0-9]+$ ]]; then
+                MALDET_HITS=0
+            fi
+
             rm -f "$TEMP_PATHLIST"
 
             SCAN_END=$(date +%s)