What is Online vs. Offline Testing?
Most Endpoint Security technologies rely on an internet connection to get threat telemetry, false positive information, and so on when performing analysis to provide the best level of protection.
Generally, a real-world attack occurs when the machine is connected to the internet.
However, to validate the efficacy of an anti-malware scanner, performing the test with the internet connection disabled will help analyze how the product fairs when offline.
Changing the firewall rule, or the firewall within a virtual environment to block outbound network connection, can help review the attempted network connections in the firewall logs.