Support

This is a problem with false positives on the third party product you are using. Since you are their client you need to contact them and explain the problem their software is causing you. According to our experience every time we contact the vendor of such software we either get no reply or we get a form reply that its users can add any file they want to a whitelist - which you already do.

The only thing we can do on our side is make sure that the code we produce is safe, i.e. it does not cause any security issues on your site. This is what I've been doing since the very first beta version of JoomlaPack I released in 2006.

If you want more information on why signature scanning source code won't yield accurate results you should read the documentation of Admin Tools' PHP File Change Scanner feature. The Threat Score calculation is doing exactly what CXS and hundreds of other similar solutions do: it matches your PHP files against code patterns which are typically, but not exclusively, used by malicious script and flags the files where these patterns appear. Our solution is much smarter in that it does a weighed score (e.g. it knows that base64_decode by itself is probably safe but a regex with the 'e' flag is most definitely not) and draws your attention to the important files. It also keeps track of which files have changed not just by timestamp but also by multiple checksums and won't bother you about the same files over and over again if you mark them as safe. Basically, I don't see why you need to use CXS when are already paying for and have installed a better solution on your site. Would you rather we renamed PHP FIle Change Scanner to "Malware Scanner"? Because that's a discussion we're currently having internally, seeing that our clients do miss the point of that feature :)