diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index 9311290..6efc4b3 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -168,9 +168,13 @@ is_clamav_installed() {
     elif [ -f "/usr/local/cpanel/3rdparty/bin/clamscan" ]; then
         clamscan_path="/usr/local/cpanel/3rdparty/bin/clamscan"
     elif command -v rpm &>/dev/null && rpm -qa 2>/dev/null | grep -q "cpanel-clamav" || true; then
-        clamscan_path=$(find /usr -name clamscan -type f 2>/dev/null | head -1)
+        # Find clamscan in system, validate result before using
+        local found_clamscan=$(find /usr -name clamscan -type f 2>/dev/null | head -1)
+        [ -n "$found_clamscan" ] && clamscan_path="$found_clamscan"
     elif command -v dpkg &>/dev/null && dpkg -l 2>/dev/null | grep -q "^ii.*clamav" || true; then
-        clamscan_path=$(find /usr -name clamscan -type f 2>/dev/null | head -1)
+        # Find clamscan in system, validate result before using
+        local found_clamscan=$(find /usr -name clamscan -type f 2>/dev/null | head -1)
+        [ -n "$found_clamscan" ] && clamscan_path="$found_clamscan"
     fi
 
     # Verify clamscan exists, is executable, and can run
@@ -523,7 +527,12 @@ install_maldet_only() {
             install_dir=$(find . -maxdepth 1 -type d \( -name "*malware*" -o -name "*maldet*" \) 2>/dev/null | head -1)
 
             if [ -n "$install_dir" ] && [ -f "$install_dir/install.sh" ]; then
-                if cd "$install_dir" 2>/dev/null && bash install.sh > /tmp/maldet-install.log 2>&1; then
+                # Use fallback directory for install log (not all systems have writable /tmp)
+                local install_log="/tmp/maldet-install-$$.log"
+                [ -w "/tmp" ] || install_log="/var/tmp/maldet-install-$$.log"
+                [ -w "${install_log%/*}" ] || install_log="$HOME/maldet-install-$$.log"
+
+                if cd "$install_dir" 2>/dev/null && bash install.sh > "$install_log" 2>&1; then
                     echo -e "  ${GREEN}✓ Maldet installed successfully${NC}"
 
                     # Update signatures in background
@@ -534,7 +543,7 @@ install_maldet_only() {
                         echo "  (signatures updating in background)"
                     fi
                 else
-                    echo -e "  ${RED}✗ Installation failed. Check /tmp/maldet-install.log${NC}"
+                    echo -e "  ${RED}✗ Installation failed. Check $install_log${NC}"
                 fi
             else
                 echo -e "  ${RED}✗ Could not find install.sh in extracted directory${NC}"