Hello dan87,
yes, it is possible - to have an incident with attachment. Steps: Just add to the policy a response rule "Limit data Retention".
yes of course - when you click on a file with a violation in a incident snapshot - will be open original file (shadow copy).
Hi ,
Check this below Link
https://www-secure.symantec.com/connect/forums/dlp-116-endpoint-agents-not-capturing-attachments-incidents