diff --git a/cms-ver.php b/cms-ver.php
index 00336ed..e5a4232 100644
--- a/cms-ver.php
+++ b/cms-ver.php
@@ -179,6 +179,7 @@
         array("CRE Loaded/Loaded Commerce", "/includes/version.php", "define('PROJECT_VERSION', 'Loaded Commerce", "EOL"),
         array("CodeIgniter", "/system/codeigniter/core/CodeIgniter.php", "define('CI_VERSION',", "Maintained"),
         array("LimeSurvey", "/application/config/version.php", "\$config['versionnumber'] =", "Maintained"),
+        array("ELGG", "/vendor/elgg/elgg/composer.json", "\"version\":", "Maintained"),
 
 // still need to work on these
     array("Silverstripe", "/cms/silverstripe_version", "*"), //needs review
diff --git a/cms-vss.php b/cms-vss.php
index 7f1ee72..31dcda6 100644
--- a/cms-vss.php
+++ b/cms-vss.php
@@ -192,6 +192,7 @@
         array("CRE Loaded/Loaded Commerce", "/includes/version.php", "define('PROJECT_VERSION', 'Loaded Commerce", "EOL"),
         array("CodeIgniter", "/system/codeigniter/core/CodeIgniter.php", "define('CI_VERSION',", "Maintained"),
         array("LimeSurvey", "/application/config/version.php", "\$config['versionnumber'] =", "Maintained"),
+        array("ELGG", "/vendor/elgg/elgg/composer.json", "\"version\":", "Maintained"),
 
 // still need to work on these
     array("Silverstripe", "/cms/silverstripe_version", "*"), //needs review
@@ -202,7 +203,6 @@
     array("Admidio", "/adm_program/system/constants.php", "define('ADMIDIO_VERSION_MAIN',"), // needs two more lines
     array("Get Simple CMS", "/admin/inc/configuration.php", "\$site_full_name"), // needs one more line
     array("SquirrelCart", "/squirrelcart/functions/base/sc_version.func.php", "function sc_version() {"), //needs one more line
-    array("ELGG", "/version.php", "release ="), // false positives with Moodle -< needs one more line
     array("CMS Made Simple", "/version.php", "CMS_VERSION ="), // needs 3 lines more
     array("DataLife Engine", "/index.php", "dle_version ="), //needs one more line
     array("phpCoin", "/version.php", "ThisVersion"), //needs one more line
diff --git a/scan.py b/scan.py
index 72157c0..26e551b 100644
--- a/scan.py
+++ b/scan.py
@@ -243,6 +243,7 @@ scoring = {
   'EITEST':                   (65, u'Eitest'),
   'CRYPTO':                   (65, u'Cryptocurrency Miners'),
   'HTML_JS':                  (20, u'HTML & Javascript Malware'),
+  'BINARY':                   (10, u'Binary File - Possible LRE or CryptoMiner'),
 }
 
 
@@ -560,6 +561,10 @@ def is_hacked(filename):
             score.append(('HTML_JS', ''))
         previous_line = l
 
+        if 'PROT_EXEC|PROT_WRITE failed.' in l \
+            or 'This file is packed with the UPX executable packer' in l:
+            score.append(('BINARY', ''))
+
     if line_num < 20:
         score.append(('FEW_LINES', '%i lines' % line_num))
     elif line_num < 100: