Hello,
As Stephane said, some types of incidents can't retain the attachments. Check this list below.
Types of Endpoint incident that support data retention:
1) Removable storage - Yes
2) CD/DVD - Yes
3) Local Drive - Yes
4) Print /fax - No
5) Clipboard - No
6) AIM- Yes
7) MSN - No
8) Yahoo Messenger - Yes
9) Outlook - Yes
10) Lotus Notes - Yes
11) Application File Access - No
12) IE (https) - Yes
13) Firefox (https) - Yes
14) Http - Yes
15) FTP - Yes
16) Copy to local Drive - Yes
17) Copy to share - Yes
Regards,
Morgado