If we can't power down the machine, due to evidence loss. We can't nullroute the IP, as stated, some malware will delete itself or alter itself when Net Access is lost.
Now we can filter a single port, in the case of spam, phishing, etc?
I'll look further into the JunOS. I'm not too familiar with the rules on the Juniper, so I'll take a look further, and see how to achieve this on a single IP rather then the network.
Thank you for your time. Have a great day.