Hello,
Don’t know if you are aware of it but some types of protocols do not support retention of the attachments, even if you have in place a response rule to retain all attachments. That’s because the incident is generated based on the text itself rather than by examining the file (e.g. print protocol).
Check the full list below.
Types of Endpoint incident that support data retention:
1) Removable storage - Yes
2) CD/DVD - Yes
3) Local Drive - Yes
4) Print /fax - No
5) Clipboard - No
6) AIM- Yes
7) MSN - No
8) Yahoo Messegner - Yes
9) Outlook - Yes
10) Lotus Notes - Yes
11) Application File Access - No
12) IE (https) - Yes
13) Firefox (https) - Yes
14) Http - Yes
15) FTP - Yes
16) Copy to local Drive - Yes
17 Copy to share - Yes