Most Endpoint Security technologies rely on an internet connection to get threat telemetry, false positive information, and so on when performing analysis to provide the best level of protection.
Generally, a real-world attack occurs when the machine is connected to the internet.
However, to validate the efficacy of an anti-malware scanner, performing the test with the internet connection disabled will help analyze how the product fairs when offline.
Changing the firewall rule, or the firewall within a virtual environment to block outbound network connection, can help review the attempted network connections in the firewall logs.
