diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index 3daa271..20ae3b4 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -21,21 +21,12 @@ NC='\033[0m'
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 
 # Cleanup function - kills any background processes and removes temp files
+# Cleanup stub - actual definition is later in the script (before main execution)
+# This stub prevents undefined function errors if trap is called early
 cleanup_on_exit() {
-    # Kill any background child processes (scanner processes, timeouts, etc.)
-    local pids=$(jobs -p)
-    if [ -n "$pids" ]; then
-        kill "$pids" 2>/dev/null || true
-        wait 2>/dev/null || true
-    fi
-
-    # Remove temporary files
-    rm -f /tmp/maldet-update.log 2>/dev/null || true
+    :  # No-op during initialization
 }
 
-# Register cleanup trap for EXIT and interrupt signals
-trap cleanup_on_exit EXIT INT TERM
-
 # Source required libraries (warn if missing, but allow graceful degradation)
 source "$SCRIPT_DIR/lib/common-functions.sh" 2>/dev/null || \
     { echo "WARNING: common-functions.sh not found - some features may not work" >&2; }
@@ -85,7 +76,7 @@ get_web_root_for_imunify() {
 
     # Try Apache on Debian/Ubuntu (apache2ctl)
     if command -v apache2ctl &>/dev/null; then
-        detected_root=$(apache2ctl -S 2>/dev/null | grep "^\*:" || true | head -1 | awk '{print $NF}' | sed 's/*://' || echo "")
+        detected_root=$(apache2ctl -S 2>/dev/null | grep "^\*:" || true | head -1 | awk '{print $NF}' | sed 's/\*://' || echo "")
         if [ -n "$detected_root" ] && [ -d "$detected_root" ]; then
             echo "$detected_root"
             return 0
@@ -94,7 +85,7 @@ get_web_root_for_imunify() {
 
     # Try Apache on RHEL/CentOS (httpd -S)
     if command -v httpd &>/dev/null; then
-        detected_root=$(httpd -S 2>/dev/null | grep "^\*:" || true | head -1 | awk '{print $NF}' | sed 's/*://' || echo "")
+        detected_root=$(httpd -S 2>/dev/null | grep "^\*:" || true | head -1 | awk '{print $NF}' | sed 's/\*://' || echo "")
         if [ -n "$detected_root" ] && [ -d "$detected_root" ]; then
             echo "$detected_root"
             return 0
@@ -1522,58 +1513,70 @@ cleanup_on_exit() {
     local exit_code=$?
     echo ""
 
-    # Remove running marker file
-    rm -f "$SCAN_DIR/.scan_running"
+    # PHASE 1: Kill any background child processes (scanner processes, timeouts, etc.)
+    local pids=$(jobs -p)
+    if [ -n "$pids" ]; then
+        kill "$pids" 2>/dev/null || true
+        wait 2>/dev/null || true
+    fi
 
-    # Only log if session log exists
-    if [ -f "$SESSION_LOG" ]; then
+    # PHASE 2: Remove temporary files from initial script setup
+    rm -f /tmp/maldet-update.log 2>/dev/null || true
+
+    # PHASE 3: Remove running marker file (scan session cleanup)
+    if [ -n "${SCAN_DIR:-}" ]; then
+        rm -f "$SCAN_DIR/.scan_running" 2>/dev/null || true
+    fi
+
+    # PHASE 4: Only log if session log exists
+    if [ -f "${SESSION_LOG:-}" ]; then
         log_message "Cleanup triggered (exit code: $exit_code)"
     fi
 
-    # Remove temporarily installed RKHunter
+    # PHASE 5: Remove temporarily installed RKHunter
     if [ "${RKHUNTER_TEMP_INSTALLED:-false}" = "true" ]; then
-        if [ -f "$SESSION_LOG" ]; then
+        if [ -f "${SESSION_LOG:-}" ]; then
             log_message "Removing temporarily installed RKHunter..."
         fi
         echo "→ Cleaning up: Removing Rootkit Hunter..."
         if command -v yum &>/dev/null; then
             if yum remove -y rkhunter &>/dev/null 2>&1; then
-                if [ -f "$SESSION_LOG" ]; then
+                if [ -f "${SESSION_LOG:-}" ]; then
                     log_message "RKHunter removed successfully"
                 fi
             else
-                if [ -f "$SESSION_LOG" ]; then
+                if [ -f "${SESSION_LOG:-}" ]; then
                     log_message "WARNING: Failed to remove RKHunter (yum command failed)"
                 fi
             fi
         elif command -v apt-get &>/dev/null; then
             if apt-get remove -y rkhunter &>/dev/null 2>&1; then
-                if [ -f "$SESSION_LOG" ]; then
+                if [ -f "${SESSION_LOG:-}" ]; then
                     log_message "RKHunter removed successfully"
                 fi
             else
-                if [ -f "$SESSION_LOG" ]; then
+                if [ -f "${SESSION_LOG:-}" ]; then
                     log_message "WARNING: Failed to remove RKHunter (apt-get command failed)"
                 fi
             fi
         fi
     fi
 
-    # Save interrupted status (only if summary file directory exists)
-    if [ "$exit_code" -ne 0 ] && [ -d "$RESULTS_DIR" ]; then
+    # PHASE 6: Save interrupted status (only if summary file directory exists)
+    if [ "$exit_code" -ne 0 ] && [ -d "${RESULTS_DIR:-}" ]; then
         {
             echo ""
             echo "SCAN INTERRUPTED"
             echo "Exit code: $exit_code"
             echo "Time: $(date)"
         } >> "$SUMMARY_FILE"
-        if [ -f "$SESSION_LOG" ]; then
+        if [ -f "${SESSION_LOG:-}" ]; then
             log_message "Scan interrupted with exit code: $exit_code"
         fi
     fi
 }
 
-# Set trap for cleanup on exit, interrupt, or termination
+# Register cleanup trap for EXIT and interrupt signals (comprehensive cleanup)
 trap cleanup_on_exit EXIT INT TERM
 
 # Banner