From de46a777288d03853ab7fb207c4a74e7a3bdc5f1 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Tue, 23 Dec 2025 15:34:03 -0500
Subject: [PATCH] Fix Maldet scanning 0 files - incorrect flag syntax

Problem:
Maldet completed in 1s scanning 0 files with error:
  "must use absolute path, provided relative path '-f'"

Root Cause:
Line 1075 used: maldet -b -a -f "$TEMP_PATHLIST"
The -a (scan-all PATH) flag cannot be combined with -f (file-list)
Maldet interpreted "-f" as a relative path instead of a flag

Solution:
Replaced file-list approach with per-path loop:
- Loop through each path in SCAN_PATHS array
- Call: maldet -b -a "$path" for each path individually
- Skip non-existent directories with validation
- Track exit codes across all scans

Additional Changes:
- Removed TEMP_PATHLIST creation and 3 cleanup calls
- Changed result extraction to use event log (more reliable):
  grep "scan completed" /usr/local/maldetect/logs/event_log
- Added validation for non-existent paths
- Preserved 2-hour timeout per path

Impact:
Maldet will now actually scan files instead of failing silently.
The -a flag ensures ALL files are scanned regardless of
modification time (fixes default 1-day age filter).
---
 modules/security/malware-scanner.sh | 51 +++++++++++++++++------------
 1 file changed, 30 insertions(+), 21 deletions(-)

diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index a485dc2..3474c20 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -1059,35 +1059,46 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do
                 echo "⚠️  WARNING: Signature update failed, using existing signatures"
             fi
 
-            # Create temp path list
-            TEMP_PATHLIST="/tmp/maldet_paths_$$.txt"
-            printf '%s\n' "${SCAN_PATHS[@]}" > "$TEMP_PATHLIST"
-
             log_message "Maldet: Starting scan with live progress"
             echo ""
             echo "  📁 Scanning path(s): ${SCAN_PATHS[*]}"
             echo "  ⏳ Scanner: Maldet/LMD (Linux-specific malware detection...)"
             echo ""
 
-            # Run with --progress for real-time percentage updates
-            # Use -a flag to scan all files (not just recent modifications)
-            # Timeout after 2 hours
-            timeout 7200 maldet -b -a -f "$TEMP_PATHLIST" 2>&1 | tee -a "$LOG_DIR/maldet.log" | while IFS= read -r line; do
-                # Parse progress lines: "files: 1234 (45%)"
-                if [[ "$line" =~ files:\ ([0-9]+)\ \(([0-9]+)%\) ]]; then
-                    files_so_far="${BASH_REMATCH[1]}"
-                    percent="${BASH_REMATCH[2]}"
-                    printf "\r  Progress: %3d%% (%s files scanned)  " "$percent" "$files_so_far"
+            # Scan each path individually with -a (scan-all) flag
+            # Note: -a flag scans all files regardless of modification time
+            # Cannot combine -a with -f (file-list), so we loop through paths
+            MALDET_EXIT=0
+            TOTAL_MALDET_FILES=0
+            TOTAL_MALDET_HITS=0
+
+            for path in "${SCAN_PATHS[@]}"; do
+                if [ ! -d "$path" ]; then
+                    log_message "Maldet: Skipping non-existent path: $path"
+                    continue
                 fi
+
+                log_message "Maldet: Scanning $path with -a (all files)"
+
+                # Run with -a (scan-all) for comprehensive scanning
+                # Timeout after 2 hours per path
+                timeout 7200 maldet -b -a "$path" &>> "$LOG_DIR/maldet.log"
+                local exit_code=$?
+
+                if [ $exit_code -ne 0 ]; then
+                    MALDET_EXIT=$exit_code
+                fi
+
+                # Give scan a moment to complete
+                sleep 2
             done
-            MALDET_EXIT=$?
+
             echo "" # New line after progress
 
             if [ "$MALDET_EXIT" -eq 124 ]; then
                 log_message "ERROR: Maldet scan timed out after 2 hours"
                 echo "  ⏱️  Scan timed out (exceeded 2 hour limit)"
                 echo "Maldet scan timed out" >> "$SUMMARY_FILE"
-                rm -f "$TEMP_PATHLIST"
                 SCAN_END=$(date +%s)
                 DURATION=$((SCAN_END - SCAN_START))
                 echo ""
@@ -1096,16 +1107,16 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do
                 log_message "ERROR: Maldet scan failed with exit code $MALDET_EXIT"
                 echo "  ✗ Scan failed (exit code: $MALDET_EXIT) - check logs"
                 echo "Maldet scan failed (exit code: $MALDET_EXIT)" >> "$SUMMARY_FILE"
-                rm -f "$TEMP_PATHLIST"
                 SCAN_END=$(date +%s)
                 DURATION=$((SCAN_END - SCAN_START))
                 echo ""
                 continue
             fi
 
-            # Extract scan results
-            FILES_SCANNED=$(grep "files scanned" "$LOG_DIR/maldet.log" | tail -1 | awk '{print $1}')
-            MALDET_HITS=$(grep "malware hits" "$LOG_DIR/maldet.log" | tail -1 | awk '{print $1}')
+            # Extract scan results from event log (more reliable than parsing output)
+            # Maldet logs to /usr/local/maldetect/logs/event_log
+            FILES_SCANNED=$(grep "scan completed" /usr/local/maldetect/logs/event_log | tail -1 | grep -oP 'files \K[0-9]+' || echo 0)
+            MALDET_HITS=$(grep "scan completed" /usr/local/maldetect/logs/event_log | tail -1 | grep -oP 'malware hits \K[0-9]+' || echo 0)
 
             # Validate numbers
             if ! [[ "$FILES_SCANNED" =~ ^[0-9]+$ ]]; then
@@ -1115,8 +1126,6 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do
                 MALDET_HITS=0
             fi
 
-            rm -f "$TEMP_PATHLIST"
-
             SCAN_END=$(date +%s)
             DURATION=$((SCAN_END - SCAN_START))
             echo "  ✓ Scanned $FILES_SCANNED files"