When viewing attachments we see in the incident attachment will have (foobar.pdf.txt). 

In Symantec Data Loss Prevention (DLP), an attachment appearing as a .txt file (or sometimes with a .txt appended, like .pdf.txt) in an incident snapshot instead of the original .pdf is typically caused by how the system handles file processing, normalization, and retention policies.

• "Limit Incident Data Retention" Response Rule: If a response rule is configured to "Limit Incident Data" to reduce database size, and the original file exceeds a specific size threshold, the DLP system may convert the attachment to a plain text representation to save space.
• Normalization of Encrypted/Unreadable Files: If the PDF is encrypted, password-protected, or corrupted, the Symantec DLP engine cannot extract content from it. In such cases, the system may extract only the available metadata or a generic placeholder, saving the resulting metadata file as a .txt file in the incident evidence.
• Content Extraction Failure: If the content extraction engine (KeyView) fails to properly parse the PDF structure, it may default to treating the attachment as a plain text file, rendering it with a .txt extension in the snapshot.
• Email Body Processing (S/MIME): For encrypted or specially signed emails (S/MIME), the DLP system may break the email into its constituent parts. An intermediate, non-readable file (like a .p7m file) may be represented or captured as a plain text file in the incident snapshot.