HTTP Anti-Virus Proxy

I'm not able to block a malware that is downloaded via a php file.
The url is: http://www.oursouthernlakes.com/images/DSC01088.php
The downloaded file is not currently detected by clamav (I have submitted the sample do) but I created an UNOFFICIAL sig for it.
I'm able to detect the malware with clamscan:
clamdscan DSC01010.scr
DSC01010.scr: DSC01010.scr.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.096 sec (0 m 0 s)

Did you reload HAVP with SIGHUP? Does it help if you restart it completely?

I restarted clamav and havp. If you have the time you can try to reproduce the situation, the malware is still there.

This is strange. I'm doing something wrong that I can't figure out.
From the logs:
12/01/2009 09:07:29 10.10.203.4 GET 200 http://www.uniferblog.com/DSC01010.scr 531+205312 VIRUS ClamAV: DSC01010.scr.UNOFFICIAL
12/01/2009 09:07:40 10.10.203.4 GET 200 http://www.uniferblog.com/DSC01010.scr 421+205312 VIRUS ClamAV: DSC01010.scr.UNOFFICIAL
12/01/2009 09:08:12 10.10.203.4 GET 200 http://www.uniferblog.com/DSC01010.scr 421+205312 VIRUS ClamAV: DSC01010.scr.UNOFFICIAL
12/01/2009 09:08:15 10.10.203.4 GET 200 http://www.uniferblog.com/DSC01010.scr 421+205312 VIRUS ClamAV: DSC01010.scr.UNOFFICIAL

These generated by someone in the network (who received an email with links to the malware)

So havp is detecting and blocking, but I can still download it, when other malware that I have for testing is blocked.

Familiarize yourself with how KEEPBACKBUFFER setting works..

I found the problem. I was creating the signature with
sigtool --md5 DSC01010.scr

They are changing the file over time, the md5 created now is differrent from the original.