I just installed CIS 3.8.64263.468. During the installation scan for malware, it detected malware in the file graywallsetup.exe, which is part of Mercury Mail. Mercury Mail was in this case part of the XAMPP software package (bundled open source web server software). It happened for the files contained in XAMPP 1.6.8 and XAMPP 1.7.0.
It marked the file as having Application.Win32.FraudTool.MacroVirus.~A(ID=0x2cd256).
Now, I’m not personally sure it is virus free, but I’d be very surprised if it was (CIS 3.5 and Avast 4.8 don’t trigger on it), and there would have been a huge outcry if XAMPP was packaging a virus/malware.