Scanning the content of a secure connection would be considered as a 'man-in-the-middle' attach and would completely defeat the purpose.
Scanning incoming content from the Internet is no problems. I use SafeSquid as content filtering proxy to control access to the net, which is integrated with ClamAV to do just that at the gateway, with satisfactory results. SafeSquid also has a buit-in connectivity to other commercial AVs like Dr. Web, NOD32, Kaspersky, Sophos, Avast, Trend Micro, Symantec, etc.
I don't know if this can be done, but this is just an idea, if it would be helpful. SafeSquid can also be deployed as a reverse proxy. You can granularly configure who is allowed to access what, when and how much. So, I think it should be possible to define IP based or authentication based rules for the vendors, and define what they are allowed to access? Again, all the content that you receive from the vendors, can also be scanned. Would that be a workable solution?