That's true, Priyasinha, James is handling this.
The 184.108.40.2060 installer was downloaded without incident. There's definitely something in the 220.127.116.11 exe that Sophos doesn't like the look of. Microsoft Security Essentials OK'd it, though.
Reverting to 3.3 was the only solution.
Note to self (and others), "When verification of an installer download gives this error, DO NOT continue - you will have to uninstall the product to get a working version".