Our interim solution was to have them disable the real-time protection in Avira, enable Windows Defender, Update Windows Defender, and run a full scan with that. Then they were able to connect.
One user had McAfee installed but disabled from several months ago when a McAfee upgrade conflicted with OPSWAT detection. She had installed Avira Free in order to connect. She was able to disable Avira and use McAfee, which by now had been supported by ESAP.
Avira seems to turn itself back on, which is probably a good thing if Windows Defender is your only other line of defense. It just may be counter-intuitive to your users to continue to have to disable it each day that they need to use VPN. Also, I had a Windows 10 glitch where on day 2 after I disabled Avira, attempting to enable Defender produced an error that another AV product was already enabled. However, the Defender process was running and I made it through the compliance check.
I wish the OPSWAT detection mechanisms could be more of a live service rather than something that has to be merged into an ESAP change, tested, and released, where it is then tested again before being implemented in a production environment.