What else prevents file deletion on OS X beside permissions, ACL, flags or being in use?

Question

As root (OS X 10.9.5), I cannot delete a file with no flags or ACL entry (at least seemingly), despite having the correct permissions:

/Library/LaunchAgents$ whoami
root
/Library/LaunchAgents$ ls -alOe
total 32
drwxr-xr-x   6 root  admin  -  204 Jan 12 22:56 .
drwxr-xr-x+ 66 root  admin  - 2244 May  9 15:26 ..
 0: group:everyone deny delete
-rw-r--r--   1 root  wheel  -  690 May  4  2016 com.bitdefender.antivirusformac.plist
/Library/LaunchAgents$ chmod -N com.bitdefender.antivirusformac.plist
/Library/LaunchAgents$ chflags 0 com.bitdefender.antivirusformac.plist
/Library/LaunchAgents$ rm com.bitdefender.antivirusformac.plist
rm: com.bitdefender.antivirusformac.plist: Permission denied
/Library/LaunchAgents$

The ACL entry above pertains to the /Library folder and shouldn't affect /Library/LaunchAgents. I have successfully moved other items in LaunchAgents while the bitdefender item fails. Have tried doing the above in single user mode as well with the same result.

What am I missing?

The purpose was to remove all traces of BitDefender. Having deleted its main folder where the files referenced in the plist resided, no daemons are running. I am however puzzled as to how this is possible.

Answer 1

I think it's taking advantage of OSX's System Integrity Protection model, but you don't need to worry about that.

They ship an uninstaller, it's just not very well documented. Here's how you get to it:

Open finder -> Utilities -> BitDefender Uninstaller.

Answer 2

There might be a kext that protects the file (the antivirus trying to "defend" itself), but sudo kextunload <name> (see the kexts with kextstat | grep -v apple) should work... Or, even better, first eliminate the daemon (vs agent) that controls it with sudo launchctl remove <name> (see the daemons with sudo launchctl list | grep -v apple).