The current Malware version looks for encoded base 64 strings, most web-shells will be encoded and malware that has been inserted in to legitimate files on your website will also be encoded. Due to this some files will get picked up by the scanner even though there may be nothing wrong with them, the best course of action for this it to verify these files are untouched by comparing them to the original files from the source (where you got them from). If these are legitimate files you can mark them as false positives and prevent them from been scanned again.
To mark a file as a false positive
- Open the Alert
- Click on View Details
- Then click the file you want to mark
- Then click the False Alarm button