By the time malware is executing and preventing the AV from connecting, that means that your AV already allowed the malware to run. The AV would’ve checked the malware against the cloud before allowing it to run.Because the first thing, the malware does, is blocking AV from updating/connecting home, to prevent just that, an online detection.
New threats use years old malware, they just create new ways to bypass the detection, so they could easily download the main load.
AV companies do not like updating signatures, because it increases the load on the servers. Most have limited ones for free versions.
If after it starts running it manages to subvert your network, which is very much possible, then almost every layer of defense that you have has failed.
Even if you had offline signatures, you would be hoping for a signature update which might not be delivered for the same reason you can’t do cloud lookups.
I think offline signatures are more useful for corporate setups that are airgapped or on a non-Internet VLAN.