On a mac if you set Cylance's "local protection" to "system" it seems to disallow all filesystem access to the CylanceSvc service's launchd plist file: /Library/LaunchDaemons/com.cylance.agent_service.plist This access is completely denied even to the root user. At first glance this would appear to prevent all users, including root, from stopping the service. However launchd does not look at the filename when processing one of these files. You can have one called foo.plist and if it's Label key is set to the same as the Cylance one, eg "com.cylance.agent_service", then it can be used to stop the Cylance service. So this local protection is fairly weak in terms of stopping the root user from disabling Cylance. Also weirdly if I use a separate plist file to stop the service when it's in this mode, after starting it back up again the original plist is left accessible. Reported both of these issues to Cylance, they seemed to already be aware of the first one and just seemed to say it's a limitation of the operating system. Presumably with SIP locking down all the system files there's only so much they can do to interrupt things being done as root.