ETA solutions look for patterns in the traffic, read un-encrypted metadata, flag suspicious packets, and so on --- but if the traffic isn't actually decrypted for full inspection, there's no guarantee that it's devoid of malware.
At the end of the day, preventing such attacks --- or at least reducing their impact --- calls for an approach with defense-in-depth. You should have preventive and detective measures implemented at the perimeter, the end-points, and the entire networks, with the solutions integrated with one-another.
If a perimeter device using ETA doesn't detect malware, & it gets decrypted on a user's system, an end-point security system there can quarantine the malware &isolate the system, as well as relay information to integrated systems to take actions at the network level.
With a layered approach, you have some assurance that should malware get past one layer, it still has to get through others.
We can't always depend on employee awareness here --- someone who sees his system acting strangely may just lean back and start using his smart phone rather than call Support --- so the solution should also be properly configured to alert the IT Security team.
Interesting that most have concentrated on a single vendor Cisco. If you look carefully within Government circles within their policies and controls, often they mandate TLS decryption for web traffic and also Identity and Access Portals. So to give you some examples: Identity Security Access Manager (ISAM) for Business - has a web proxy, called WebSeal, which has proxies for both mobile and web services, which has an inbuilt layer 4 to layer 7 WAF, which by using the server digital certificate, can decrypt and check the incoming and outcoming traffic, before it allowed into the organisations web servers/farm etc.
Other vendors use F5 with its Advanced Security Module, which has good layer 4 to layer 7 TLS inspection capabilities in virtual or physical formats.
However, from experience, you need plenty of testing, non production and Proof of Concepts, going because often the claims of manufacturers, has to be verified and tested carefully - sometimes their claims do not add up in reality.
surely there are many vendors offering "man in the middle" decryption and inspection. but the original question was about ability to detect malware within encrypted traffic...
In that case you will always need the ability to decrypt the incoming transmission, and you may have re-encrypt it again by policy, before it is forwarded on to the final destination. Normally, one would have an assured solution, as it normally has to hold a copy of the private key for decryption purpose. Normally the solution has normally a proxy or an SSL/TLS forwarding capability with layer 4 to layer 7 inspection capabilities.