This is strange. I'm doing something wrong that I can't figure out.
From the logs:
12/01/2009 09:07:29 10.10.203.4 GET 200
http://www.uniferblog.com/DSC01010.scr 531+205312 VIRUS ClamAV: DSC01010.scr.UNOFFICIAL
12/01/2009 09:07:40 10.10.203.4 GET 200
http://www.uniferblog.com/DSC01010.scr 421+205312 VIRUS ClamAV: DSC01010.scr.UNOFFICIAL
12/01/2009 09:08:12 10.10.203.4 GET 200
http://www.uniferblog.com/DSC01010.scr 421+205312 VIRUS ClamAV: DSC01010.scr.UNOFFICIAL
12/01/2009 09:08:15 10.10.203.4 GET 200
http://www.uniferblog.com/DSC01010.scr 421+205312 VIRUS ClamAV: DSC01010.scr.UNOFFICIAL
These generated by someone in the network (who received an email with links to the malware)
So havp is detecting and blocking, but I can still download it, when other malware that I have for testing is blocked.