I want to prevent the root user from uninstall my EndpointSecurity System Extension. I succeeded to deny this when he removes with Terminal command, by intercepting ES_EVENT_TYPE_AUTH_RENAME and ES_EVENT_TYPE_AUTH_UNLINK events and answering ES_AUTH_RESULT_DENY for the Extension's application in /Applications folder. However, when the user drag&drops the Extension's application to the Trash, he succeeds. More than that, it looks like I don't receive any event about it in the Extension. Thanks.