I can understand that the project says “better no connection than unsafe connection”. But this may be not the way that the users are intending “firewalling”.
Also, you’re blinding believing that you can fool at all not only the DNS, but also the update management (and signing) of the antivirus system.
Most AV producers allow HTTP and FTP (without s) for allowing proxies to cache and reduce bandwidth for distributed systems (without a in-lan update server…)