Thanks for the tips! I tend to agree that firewall-based AV isn't really that useful, especially with so many sites using HTTPS these days.
I have no experience with clamAV, but our client-side ESET performs quite well, so maybe I'll leave well enough alone rather than get into Squid, etc. (something else I have no experience with)
Thanks for the tip regarding pfBlocker, we currently use DynDNS for content filter at only $10/year, but it's DNS-based so easy to bypass for intermediate users. This might be the answer I was looking for, though!