I have 10 to 30 false positives per site right now because Defender started marking all plugins that use eval(). In all these cases I have looked at the source code from the repository, and found that these lines are as they were intended to be. It would save some time (and some panic) if Defender marked them as Insecure rather than Suspicious. I woke up yesterday thinking all my hosting accounts were compromised. Now I still have to go to each site and bulk ignore if I am going to get Defender to alert me of real problems.