Please read again my previous reply. You are missing the point. What I am saying is that any antivirus, malware scanner, whatever-marketing-calls-it is NOT 100% accurate. It simply cannot be. Even if you get 99% accuracy (which is unrealistic; most antivirus go up to 98% for binary executables, far less for source code) it means that 1 of 100 files will be either a false positive or a false negative. On a typical Joomla! site you have about 5000 files. You can do the math.
So, yes, most hacked sites will be reported as such.
Some not hacked sites will be reported hacked as well (false positive); you should not trust that as an absolute truth, you should investigate further. The best thing you can do is compare those files to a known good state.
Some hacked sites will be reported as not hacked (false negative). I've seen a very ingenuous hacking script which posed as a legitimate Joomla! file, followed the Joomla! coding standard, had comments even, but had a malicious intent hidden as a subtle bug in one of the legitimate-looking methods. At first glance something bothered me. When I read the code again I did a double take. That file was designed to let an attacker execute arbitrary commands remotely.
Both false positives and false negatives can be caught more easily using Admin Tools' PHP File Change Scanner. Please read its documentation on reading the reports (especially what I've written under Threat Score). If you see a .php file popping up without having installed an update an alarm bell should be going off; this is usually a sign of malicious activity. If you see a .php file being added or modified exactly after an update you can mark it as safe even if it registers a very high threat score; it's obviously a false positive since it only got created/modified right after an update you initiated yourself.
If that's too much work (it is; I'll give you that) you can still rely on scanning your sites with an antivirus. You should just be aware of the possibility of false positives which spook you for no good reasons and the far less likely but much more serious possibility of false negatives.
I like car analogies (my degree is in Mechanical Engineering) so let me put it this way. The antivirus is seatbelt and airbag. It will protect you in case of a minor to medium severity crash. The airbag may also deploy on a small crash when it really isn't necessary and cause minor injuries you can laugh about after a quick visit to A&E. The PHP File Change Scanner is installing a roll cage and putting on a five-point harness, helmet and Nomex clothing. It will protect you even in some of the most scary crashes at the expense of being a serious pain in the posterior. There are some cases where you still get seriously injured and/or die. Thankfully, unlike real life, you can resurrect i.e. restore your site from a backup -- which is why having frequent, automated, off-site backups is very important.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!