Is this a virus?

I assure you it's not, but it will be detected as one.

Downloading as well as running either disenchanter.exe or disenchanter_up.exe will probably cause a trojan alert from your antivirus.

Why?

As the script is written in Ruby, it needs Ruby to run. Unless you're a Ruby developer, you probably don't have it installed on your machine.

The executable contains the means to create a temporary Ruby environment for the duration of the script run so you don't need to install Ruby.

Creating temporary files is an indicator for trojan-like behavior, which is the reason the executable is being detected as potentially malicious.

Known false positives in Windows Defender:

• Trojan:Win32/Wacatac.B!ml

• Trojan:Script/Wacatac.B!ml

• Trojan:Win32/Sabsik.FL.B!ml

The script got deleted by Windows Defender, what can I do?

You'll have to restore the file from your Windows Defender settings.

If it keeps getting deleted or you keep getting alerts, consider creating an exclusion.

This still seems fishy, are there alternatives?

You can read the source code on GitHub to make sure the script only does what I claim it does.

Then you can either:

• Run the Ruby script (disenchanter.rb) yourself

  • Requires Ruby

  • Requires bundler (run gem install bundler)

  • Run bundle install in the source's root folder to install dependencies

• Build the executable yourself – I used Ocra 1.3.11 with the config provided in build.cmd

  • Requires the same preparation steps as the previous option

Keep in mind that the self-update functionality will still retrieve newly released versions of the pre-built executable from GitHub. This requires your explicit consent, though.