diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index 1a69e86..b1ccc6c 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -281,24 +281,24 @@ install_maldet_only() {
     local best_source=""
 
     # Download sources in priority order
+    # Format: "name|url|label" (using | as delimiter to avoid splitting https://)
     local sources=(
-        "rfxn:https://www.rfxn.com/downloads/maldetect-latest.tar.gz:rfxn.com (official)"
-        "github-api:https://api.github.com/repos/rfxn/maldet/archive/refs/heads/main.tar.gz:GitHub API"
-        "github:https://github.com/rfxn/maldet/archive/refs/heads/main.tar.gz:GitHub direct"
+        "rfxn|https://www.rfxn.com/downloads/maldetect-latest.tar.gz|rfxn.com (official)"
+        "github-api|https://api.github.com/repos/rfxn/maldet/archive/refs/heads/main.tar.gz|GitHub API"
+        "github|https://github.com/rfxn/maldet/archive/refs/heads/main.tar.gz|GitHub direct"
     )
 
     echo "Attempting to download from sources..."
     echo ""
 
     for source_info in "${sources[@]}"; do
-        IFS=: read -r source_name source_url source_label <<< "$source_info"
+        IFS='|' read -r source_name source_url source_label <<< "$source_info"
 
         echo "  Trying $source_label..."
 
         # Try download with aggressive timeout
-        # --connect-timeout: fail fast if connection can't be established
-        # --max-time: fail if entire operation takes too long
-        # --speed-time: fail if sustained transfer speed is too slow
+        # --timeout: fail if no progress for this many seconds
+        # --read-timeout: fail if no data received for this many seconds
         if wget -q --timeout=30 --read-timeout=10 -O "$temp_file" "$source_url" 2>/dev/null; then
             if [ -f "$temp_file" ] && [ -s "$temp_file" ]; then
                 echo -e "  ${GREEN}✓ Download successful from $source_label${NC}"
@@ -310,7 +310,7 @@ install_maldet_only() {
         fi
 
         # Also try with curl as fallback
-        if ! [ "$download_success" = true ]; then
+        if [ "$download_success" = false ]; then
             if curl -f --connect-timeout 10 --max-time 30 -L -o "$temp_file" "$source_url" 2>/dev/null; then
                 if [ -f "$temp_file" ] && [ -s "$temp_file" ]; then
                     echo -e "  ${GREEN}✓ Download successful from $source_label${NC}"
@@ -349,10 +349,14 @@ install_maldet_only() {
         if [ -n "$local_archive" ]; then
             echo ""
             echo "Using pre-downloaded archive..."
-            cp "$local_archive" /tmp/maldetect-offline.tar.gz
-            temp_file="/tmp/maldetect-offline.tar.gz"
-            download_success=true
-            best_source="offline-archive"
+            if cp "$local_archive" /tmp/maldetect-offline.tar.gz 2>/dev/null; then
+                temp_file="/tmp/maldetect-offline.tar.gz"
+                download_success=true
+                best_source="offline-archive"
+                echo -e "${GREEN}✓ Archive ready for extraction${NC}"
+            else
+                echo -e "${RED}✗ Failed to copy archive${NC}"
+            fi
         else
             echo -e "${RED}✗ No local archive found${NC}"
             echo ""