Endpoint Prevent and Endpoint Discover do not retain original file by default.

By default, Endpoint does not keep the original files.  The files can be added, however, there will be additional overhead.  The messages between the Endpoint Server and the Endpoint Agent will be larger.  Also, the database space will be increase, which may be significant with Endpoint Discover.

To retain the original file, add a Response Rule to the Endpoint Policy in order to include file attachments.

Actions 
All: Limit Incident Data Retention  
Network Incidents:
Discard Original Message:   
Discard Attachment:   All  Attachments with no Violations  None 
All Endpoint Incidents (Including Endpoint Discover Incidents):
Enabling this option may prevent some events on endpoints from blocking (e.g. Copy to USB). To ensure endpoint prevent works properly, disable the ENABLE_VEP_FILE_ELIMINATION setting from the Endpoint Settings page of the endpoint servers. 
Retain Original Message: