The PHP File Change Scanner's results are meant to be interpreted from the second run onwards. The whole concept of this feature is that PHP files may be added or changed in one of two ways: 1. because you did that yourself (e.g. upgraded Joomla and / or its extensions) or 2. you got hacked.
The first scan is meant to provide a baseline for your site, i.e. the initial state to which the second etc scan will be compared against.
When you take the first scan you need to be fairly certain that your site is "clean". If your site does not exhibit any unintentional behavior you can be fairly certain that this is the case. So go ahead and mark all files with a non-zero Threat Score as safe.
The next scans should show no changes to your files. If a .php file appears as changed or added the Threat Score will help you understand how likely it is for the file to be malicious. Chances are that in most sites you won't see any such changes.
Then you will eventually need to upgrade Joomla or one of its extensions. First take a scan. You should see no changes. Upgrade Joomla and / or its extensions. Immediately run another scan. Right now you can be sure that all of the changed and added files happened as a result of your upgrade action. So go ahead and mark all files with a non-zero Threat Score as safe.
As you may have gathered by now, you only need to worry about changed / added files in the scans you take between subsequent upgrades to Joomla and / or its extensions. The idea is that if you didn't upgrade something there should be no reason for .php files to magically appear or be modified. Some extensions may do that, though -- for example, when you enable the settings encryption in Akeeba Backup it does generate a .php file with the encryption key. That's why you have the Threat Score, to help you understand if the unexpected new or modified file is safe or not.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!