Detection is working for emails sent but no incident are getting triggered. Also, send email notification response rule is configured but no notification is sent.

FileReader logs:

WARNING: IOException writing offline incident file for message [678FC7E3-A4E0-4FA6-B406-F19741A4E4CA]
java.io.IOException: Timeout occurred while writing
 at com.vontu.incidenthandler.incidentwriter.TimeSensitiveOutputStream.handleException(TimeSensitiveOutputStream.java:118)
 at com.vontu.incidenthandler.incidentwriter.TimeSensitiveOutputStream.write(TimeSensitiveOutputStream.java:80)
 at java.io.ObjectOutputStream$BlockDataOutputStream.writeBlockHeader(ObjectOutputStream.java:1894)
 at java.io.ObjectOutputStream$BlockDataOutputStream.drain(ObjectOutputStream.java:1875)
 at java.io.ObjectOutputStream$BlockDataOutputStream.write(ObjectOutputStream.java:1848)
 at java.io.ObjectOutputStream.write(ObjectOutputStream.java:690)

Detection Trace logs showing that the email got detected and 1 incident got created:

[DEBUG] (DETECTION_TRACE.3) Processing of Message [678FC7E3-A4E0-4FA6-B406-F19741A4E4CA] took 1 minute(s) 9 second(s) 35 ms, and resulted in [1] incident(s). Details: 
- Message:
 - ID: 678FC7E3-A4E0-4FA6-B406-F19741A4E4CA
 - Protocol: SMTP
 - Sender: UNKNOWN_GENERIC: [email protected], EMAIL: [email protected]
 - Recipients: 
  - UNKNOWN_GENERIC: [email protected]
  - UNKNOWN_GENERIC: [email protected]
 - Components: 
  Encapsulated File  (ID=-1)
  Header  (ID=1)
   - Text size: 2765 letters
  Body  (ID=2)
   - Raw size: 3069 bytes
   - Text size: 192 letters
   - File name: attached-email-body.html
   - File type: html
  Attachment  (ID=3)
   - Raw size: 13168 bytes
   - File name: Unknown
   - File type: gif
  Attachment  (ID=4)
   - Raw size: 26570222 bytes
   - Text size: 55341093 letters
   - File name: 33M+사내차단4개.xlsx
   - File type: xlsx

Value for MessageChain.MaximumComponentTime is greater than MessageChain.MaximumMessageTime.

When the message reaches TimeSensitiveOutputStream, the time that is allowed to write the incident is the minimum between remaining time (MaximumMessageTime - time spent in all other components) and MaximumComponentTime.
If the component time is greater than MessageTime there is no time for writing the incident hence incident writing gets timed out. Also, as there is no incident, the send email notification response rule does not get triggered so no email notification is sent.

In the Enforce Server, navigate to System > Servers and Detectors > Overview.

Then click on detection server > server settings

Set the values for MessageChain.MaximumMessageTime to be higher than MessageChain.MaximumComponentTime.

For example, the below advanced server settings for the Email prevent server from the Enforce Server:

MessageChain.MaximumComponentTime:

Current value = 130000 

New value = 190000 

MessageChain.MaximumMessageTime:

Current value = 120000

New value = 240000 

MaximumMessageTime is used to determine time remaining when submitting components for detection, so if MaximumMessageTime is lower than MaximumComponentTime, we can see FileReader restarts saying "component timeout exceeded" when what was actually exceeded was MessageChain.MaximumMessageTime.

This issue was mostly seen with emails having large attachments(greater than 20 MB). Issue was not happening with emails without any attachment.