While it is possible for malware protection within a computer network to do this work, the best practice is to detect and isolate a problem at the network boundary using a NGFW before it can reach the computer network.
FORBES: Next-Generation Firewalls: What Makes Them Next-Gen