Hi Thilothama,
I assume you mean with backup files older copies of pages and microflows, etc, given you example of backup files.
I see two ways in which you can handle this.
Let me know which option you choose and why.
Those aren't backup files, those are the XML files your Mendix application needs to work. They describe how each page should be displayed and what data it expects.
In short, it's a false alert from your penetration testing.