After that, if the file is modified, then a Tripwire-type solution should catch it, I would think. In the mean time, everyone's checking those MD5 sums, right?
The tripwire daemon should be monitoring the size of the executables in /bin, not the downloaded file. Those are the normal targets, all the regular Unix commands that are run frequently.