The thing is ESET's HTTPS scanning feature breaks Encrypted Client Hello. According to tests, SNI's aren't encrypted with default ESET. This is not just ESET of course, any product with HTTPS traffic scanning breaks it.
Only Adguard For Windows can apply ECH( even though it decrypts TLS connection like ESET) if you allow its DNS protection feature (enabled by default) and enable ECH from Advanced settings. It makes Adguard handle the DNS and apply ECH.
So maybe this is not possible unless AV products with HTTPS scanning feature like ESET handles DNS encryption by supporting ECH.
ECH is still not finalized and currently mainly supported by cloudflare services I think. But looks like eventually it will become a standard.
So I'm curious how ESET is going to handle this case.
Sites to test if ECH is working or not:
https://tls-ech.dev/
https://defo.ie/ech-check.php
https://crypto.cloudflare.com/cdn-cgi/trace/
For the last test site, you'll have to check if, sni=plaintext/encrypted.
