In elementary terms, the Internet is just a simple telephone system.
The Internet line is forever live to a PC unless unplugged at the socket, the power switched off or using Safe Mode. Safe Mode + Internet is no use at all, the Internet line is live and open again. In fact my Comodo FW automatically loads when Safe Mode + Internet is selected.
Hibernate and Standby can disconnect the local connection and kill the Internet connection but on resumption it all becomes live again.
When simply looking at your Desktop, when the receiver is picked up by any program, information can pass in or out. Almost every program including Windows, MS, plus the AV and FW has an Internet component, mainly for updating but not always. Some need a continuous connection.
So there is a flow of traffic into and out of the PC whenever a program connects with the Internet and you know nothing about it.
The only means of knowing that an Internet connection has been made is the pop-up panel that most programs kindly use to let us know what is going on. They need not do this and internal Malware infections certainly do not. Bad practice if you are going to steal something.
A browser is just another program which enables visual and operational contact with the Internet to be made so we can use it. It has no influence on the Internet connection to the PC whether off or on. I am on Cable fibre optic Broadband with a fixed IP. Dial-up Broadband is more secure since the IP keeps changing at each logon.
Most programs replace the receiver when their particular need is finished. Malware can leave the line open permanently to monitor your personal data. So the $1,000 you deposited in your bank earlier and the credit limit increase you arranged can be immediately passed to the grateful recipient at the other end.
This all means that the AV, FW and other security programs must NEVER be disabled with a live Internet line connected.
I can tell when traffic is present with my Comodo FW because the tray icon is animated and shows in traffic and out traffic by red and green variants - Red for detection and Green for analysis.
The ability of Malware to transmit data depends entirely on the sophistication of your security set-up and the intricate technology of the Malware. It is a last man standing situation.
So live dangerously, get the adrenaline pumping and turn off your AV and FW if you feel free, that guy at the other end is eagerly awaiting your call. He urgently needs your cash, a brand new ID or some lovely credit card details.
I have recently come across a program that requires the AV and FW to be shut down before running - GMER. Bearing in mind what has just been said, that sounds like extreme stupidity. To be without a Firewall and AV protection for a 3 hour plus scan is akin to leaving the door wide open and your wallet laying on the table.
If any program requires the AV and Firewall to be turned off in order to operate, then if it cannot function in Safe Mode with NO Networking - DUMP IT !
After a long shutdown on Hibernate, no Firewall activity had occurred because the local connection was severed. I opened up the system and manually updated MBAM, it took less than a minute, but in that time with no Internet connection visual or open on my part ONE intrusion was blocked by my Firewall :- Protocol = TCP, Source IP = 184.108.40.206, Destination IP = ME, Source Port = 12200, Destination Port = 9090. The IP track is shown here :-
Inherent Malware can operate continuously once the set is "switched on" and you don`t even know it is happening.