MWG has been using ICAP forever, so we know plenty about ICAP.
In this case though, I could see MWG act as a ICAP server and a reverse proxy. With ICAP, the files could be sent over and checked when they are uploaded (the AIX would be the ICAP client). Acting as a reverse proxy MWG could scan each download by users from the AIX server.
Thinking about it further, the MWG could simply be a reverse proxy and scan both uploads and downloads. This would eliminate the need for creating a special java ICAP client tool. I have had customers using MWGs as a reverse proxy to protect their WebSpheres in the past.