Not a kernel-level API - they'd move Defender to an API without kernel-level access. On Mac their API is called Endpoint Security Framework which lets antivirus monitor system calls without giving it kernel-level access. And System Integrity Protection is how they close the kernel. Microsoft would love to do the same, but also want their own Defender to have kernel-level access. The EU says they have to give third-party antivirus the same access they give their own antivirus, for anti-trust reasons. Personally I disagree with the EU here.