Nope. Imagine, for instance, a vast network of computers used by state embassies for messaging between each others across the world. The computers and the entire are never connected to the Internet. However, all computers need protection in case someone distributed a malicious file via messaging. It makes little sense to suggest disabling USBs, and so on - because it cannot be exluded that a malicious actor somewhere on the network would not bypass the restrictions. Each endpoint of the network must have independent, real-time protection.
Now, can MBAM do that?
k