Endpoint Prevent and Endpoint Discover do not retain original file by default.
To retain the original file, add a Response Rule to the Endpoint Policy in order to include file attachments.
Actions
All: Limit Incident Data Retention
Network Incidents:
Discard Original Message:
Discard Attachment: All Attachments with no Violations None
All Endpoint Incidents (Including Endpoint Discover Incidents):
Enabling this option may prevent some events on endpoints from blocking (e.g. Copy to USB). To ensure endpoint prevent works properly, disable the ENABLE_VEP_FILE_ELIMINATION setting from the Endpoint Settings page of the endpoint servers.
Retain Original Message: