OK, thank you. I output all the events about the file and found that WeChat first CLONE and then OPEN the new file. Which system call does this ES_EVENT_TYPE_AUTH_CLONE event correspond to? Can I call es_respond_flags_result(client, msg, 0x0, true); deny CLONE?