Several of the AV solutions these days perform something called EDR checks which are essentially real-time checks (that need internet) to ensure that several aspects of security are met.
Please refer to
https://www.crowdstrike.com/cybersecurity-101/endpoint-security/endpoint-detection-and-response-edr/ or similar products for more details on how EDRs work.
During Host checks, whenever there is an EDR product involved, an internet check is performed by pinging general websites, and only if there is a ping response along with other configured policies succeeding, the HC will succeed and move to the next phase of the connection.