The “Core Integrity Checks” is a tool that only runs in the core WordPress directories, if the other malicious files are in the content, uploads, or a custom directory then the plugin will not report them because it is not a server side scanner but a file monitor. If the malicious files were uploaded or injected in the project before the last file system scan then they are probably listed in the “Audit Logs” panel.
Some people have suggested that the plugin should check the integrity of every directory and file inside the project, not only the WordPress core files, but I can not do that because the performance of the scanners depend on the resources provided by the server where each website is being hosted.
If I force the plugin to scan everything then there will be people that will start to complain that the plugin is consuming too much memory and/or CPU. This is one of the reasons of why I implemented six different file scanners, and you can see them separated in the “Scanner Settings” panel located in the plugin’ settings page.
I will pass this discussion to our development team to see if my co-workers agree to modify the code of the plugin to be more aggressive during the execution of the file system scanners, thanks for the feedback.
There were a few other copies of the same file which Securi did not flag up. One was in the root but 3 were in the WordPress Core install eg one was in wp-admin folder.
I added a note with changeset 1155457 [1] explaining the real functionality of the “Integrity Checks” tool and the “Audit Logs” panel which is the actual file monitor and the tool that people should use when they suspect of an infection not the former. You can download the development version [2] of the plugin if you want to test the new changes.
[1] https://plugins.trac.wordpress.org/changeset/1155457
[2] https://downloads.wordpress.org/plugin/sucuri-scanner.zip
