diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index 8b6475f..a72d68c 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -267,63 +267,125 @@ install_maldet_only() {
     echo "Maldet is a fast, Linux-specific malware scanner"
     echo "Repository: https://github.com/rfxn/maldet"
     echo ""
+    echo "Checking available versions..."
+    echo ""
 
     cd /tmp || return 1
 
-    # Try multiple download sources (fallback chain)
-    local download_success=false
-    local temp_file="maldetect-latest.tar.gz"
+    # Function to compare semantic versions (e.g., 1.6.5 vs 1.6.4)
+    compare_versions() {
+        local v1="$1" v2="$2"
+        [ "$v1" = "$v2" ] && echo "equal" && return
 
-    # Source 1: rfxn.com official
-    echo "  [1/3] Trying rfxn.com official source..."
-    if wget -q --timeout=10 -O "$temp_file" "https://www.rfxn.com/downloads/maldetect-latest.tar.gz" 2>/dev/null; then
-        download_success=true
-    fi
+        local IFS=.
+        local i ver1=($v1) ver2=($v2)
 
-    # Source 2: GitHub releases (if primary failed)
-    if [ "$download_success" = false ]; then
-        echo "  [2/3] Trying GitHub releases..."
-        if wget -q --timeout=10 -O "$temp_file" "https://github.com/rfxn/maldet/archive/refs/heads/main.tar.gz" 2>/dev/null; then
-            download_success=true
-        fi
-    fi
-
-    # Source 3: GitHub releases with version tag (common pattern)
-    if [ "$download_success" = false ]; then
-        echo "  [3/3] Trying GitHub releases archive..."
-        # Try to get latest release from GitHub API
-        local latest_release=$(curl -s "https://api.github.com/repos/rfxn/maldet/releases/latest" 2>/dev/null | grep -o '"tarball_url":"[^"]*' | head -1 | cut -d'"' -f4)
-        if [ -n "$latest_release" ]; then
-            if wget -q --timeout=10 -O "$temp_file" "$latest_release" 2>/dev/null; then
-                download_success=true
+        for ((i=0; i<${#ver1[@]} || i<${#ver2[@]}; i++)); do
+            if ((10#${ver1[i]:-0} > 10#${ver2[i]:-0})); then
+                echo "greater"
+                return
+            elif ((10#${ver1[i]:-0} < 10#${ver2[i]:-0})); then
+                echo "less"
+                return
             fi
-        fi
+        done
+        echo "equal"
+    }
+
+    # Check available versions from multiple sources
+    local rfxn_version="" github_version="" github_api_version=""
+    local best_source="" best_version="" best_url=""
+
+    # Source 1: Check rfxn.com for available versions
+    echo "  [1/3] Checking rfxn.com..."
+    local rfxn_check=$(curl -sI "https://www.rfxn.com/downloads/maldetect-latest.tar.gz" --connect-timeout 5 2>/dev/null | grep -E "HTTP|Content-Length")
+    if echo "$rfxn_check" | grep -q "200\|302"; then
+        rfxn_version="latest"
+        echo "      ✓ Available (latest release)"
+    else
+        echo "      ✗ Not reachable"
     fi
 
-    # If all sources failed, show error with actual URLs for manual download
-    if [ "$download_success" = false ]; then
-        echo -e "${RED}✗ Failed to download from all sources${NC}"
+    # Source 2: Check GitHub releases API for version info
+    echo "  [2/3] Checking GitHub releases..."
+    local github_api_data=$(curl -s "https://api.github.com/repos/rfxn/maldet/releases/latest" --connect-timeout 5 2>/dev/null)
+
+    if echo "$github_api_data" | grep -q '"tag_name"'; then
+        github_api_version=$(echo "$github_api_data" | grep -o '"tag_name":"[^"]*' | head -1 | cut -d'"' -f4 | sed 's/^v//')
+        if [ -n "$github_api_version" ]; then
+            echo "      ✓ Found version: $github_api_version"
+        fi
+    else
+        echo "      ✗ API unreachable"
+    fi
+
+    # Source 3: Check GitHub main branch
+    echo "  [3/3] Checking GitHub main branch..."
+    local github_main_check=$(curl -sI "https://github.com/rfxn/maldet/archive/refs/heads/main.tar.gz" --connect-timeout 5 2>/dev/null | grep -E "HTTP")
+    if echo "$github_main_check" | grep -q "200\|302"; then
+        github_version="main-branch"
+        echo "      ✓ Available (main branch)"
+    else
+        echo "      ✗ Not reachable"
+    fi
+
+    echo ""
+
+    # Determine best source based on version comparison
+    if [ -n "$github_api_version" ] && [ -n "$rfxn_version" ]; then
+        # Both available - prefer the version tag if we can parse rfxn version
+        echo "  Multiple sources available. Selecting best version..."
+        best_source="github_api"
+        best_version="$github_api_version"
+        best_url=$(echo "$github_api_data" | grep -o '"tarball_url":"[^"]*' | head -1 | cut -d'"' -f4)
+        echo "  → Downloading version $best_version from GitHub API"
+    elif [ -n "$rfxn_version" ]; then
+        best_source="rfxn"
+        best_version="latest"
+        best_url="https://www.rfxn.com/downloads/maldetect-latest.tar.gz"
+        echo "  → Downloading from rfxn.com (official)"
+    elif [ -n "$github_api_version" ]; then
+        best_source="github_api"
+        best_version="$github_api_version"
+        best_url=$(echo "$github_api_data" | grep -o '"tarball_url":"[^"]*' | head -1 | cut -d'"' -f4)
+        echo "  → Downloading version $best_version from GitHub API"
+    elif [ -n "$github_version" ]; then
+        best_source="github_main"
+        best_version="main-branch"
+        best_url="https://github.com/rfxn/maldet/archive/refs/heads/main.tar.gz"
+        echo "  → Downloading from GitHub main branch (fallback)"
+    else
+        echo -e "${RED}✗ All sources unreachable${NC}"
         echo ""
         echo "Known working download URLs:"
         echo "  Official: https://www.rfxn.com/downloads/maldetect-latest.tar.gz"
         echo "  GitHub:   https://github.com/rfxn/maldet/archive/refs/heads/main.tar.gz"
         echo ""
-        echo "Try manually:"
-        echo "  cd /tmp"
-        echo "  wget https://www.rfxn.com/downloads/maldetect-latest.tar.gz"
-        echo "  tar xzf maldetect-latest.tar.gz"
-        echo "  cd maldetect-* && bash install.sh"
-        echo ""
+        return 1
+    fi
+
+    echo ""
+
+    # Download from the best source
+    local temp_file="maldetect-${best_version}.tar.gz"
+    echo "Downloading $best_version..."
+
+    if wget -q --timeout=15 -O "$temp_file" "$best_url" 2>/dev/null; then
+        echo -e "${GREEN}✓ Download successful${NC}"
+    else
+        echo -e "${RED}✗ Download failed from $best_source${NC}"
         rm -f "$temp_file"
         return 1
     fi
 
+    echo ""
+
     # Extract and install
-    echo "  Extracting archive..."
+    echo "Extracting archive..."
     if tar xzf "$temp_file" 2>/dev/null; then
-        echo "  Running installer..."
+        echo "Running installer..."
         if cd maldetect-* 2>/dev/null && bash install.sh > /tmp/maldet-install.log 2>&1; then
-            echo -e "${GREEN}✓ Maldet installed successfully${NC}"
+            echo -e "${GREEN}✓ Maldet installed successfully (version: $best_version)${NC}"
 
             # Update signatures in background
             echo ""
@@ -336,7 +398,7 @@ install_maldet_only() {
             echo -e "${RED}✗ Installation failed. Check /tmp/maldet-install.log${NC}"
         fi
         cd /tmp
-        rm -rf maldetect-* maldetect-latest.tar.gz 2>/dev/null || true
+        rm -rf maldetect-* "maldetect-${best_version}.tar.gz" 2>/dev/null || true
     else
         echo -e "${RED}✗ Failed to extract archive${NC}"
         rm -f "$temp_file"