Diagnosing ICAP issues where Incidents are not being triggered by webmail attachments
In actuality, we ARE likely processing the attachment. Just in the body of the email as that is how it is sent by many Web 2.0 apps.
The way to test it is:
1. Get the policy you expect to hit (is it a Data Identifier?)
2. Get a screenshot of the screen when the email is about to be sent (you NEED to know if it's plain text or rich text or whatever. In general if you can see little icons for font/color/etc, it's rich text)
3. Enabling Detection Trace logging per TECH219364
4. Set up a keyword policy rule and OR it to the original policy rule
5. Add the keyword to the attachment AND the email body
6. Send it through.
7. Verify that it created an incident
8. Get the logs
9. Using the User Interface, navigate to the incident(s) and (from the upper right corner) select "Report - Open Original Message" and save it to a safe location.
10. Review and prepare for Support :
10.1 The Screenshot of the email client prior to sending the email (#2)
10.2 A screenshot of the Policy (#1)
10.3 A full set of logs
10.4 The "Original Messages"