eComscan will find and report known insecure modules. A team of security researchers maintains a database of vulnerable version numbers. 


You may have disabled or renamed a vulnerable module, but still get an alert. This is intended, because sometimes insecure modules still pose a threat, even when they are marked as "disabled". 


You may have manually patched a vulnerability, for example when no official fix or update is available. To stop eComscan from reporting this module, you should add "-patch" to the version number (for Magento 1, this is under Vendor/Module/etc/config.xml).