Hi;
SMLatCST mentioned you must create a HI policy for detect the AV virus definition was older than 3 day.
Then if you use sefl enforcement you must use a quarantine firewall policy to block network access.
If you use lan enforcer or DHCP enforcer
You must define the rule if the host interity failed close port or assing a vlan for Lan enforcer and For DHCP enforcer while HI failed its stay on the qurantine ip range. You can still block with Qurantine firewall policy as well.
Regards.