I ran the Defender scan on two sites. In one, which is brand new, it said that wp-config-sample was suspicious, just because it was checking against the English version of that file, whereas I had the Spanish version. A minor bug, I'd say (or a missing feature, if you wish).
The other one was more tricky. For one thing - I know the site *was* hacked, I took charge of it to fix it. I ran Defender on a local clone of the hacked site. The report found tons of wordpress core files as suspicious - but I wonder whether that was due just to the fact that the WordPress version was not the latest (I wanted to check the original hacked site for diagnostics, so it didn't make sense to update WordPress for that). I mean, I would expect a hacker to modify a few core files, not hundreds of them. Seeing the search for "literal copies" of files exhibited by the "detection" of wp-config-sample.php in the other site, should I take this report seriously?
(There were four other suspicious files with a "high" ranking. Those made more sense)