That's true, Priyasinha, James is handling this.
The 220.127.116.110 installer was downloaded without incident. There's definitely something in the 18.104.22.168 exe that Sophos doesn't like the look of. Microsoft Security Essentials OK'd it, though.
Reverting to 3.3 was the only solution.
Note to self (and others), "When verification of an installer download gives this error, DO NOT continue - you will have to uninstall the product to get a working version".