Endpoint Prevent and Endpoint Discover do not retain the original file by default.
Is it possible for the original file be retained?

By default Endpoint Agent's do not keep the original files. The files can be retained, however, there will be additional overhead.  Data transmissions between the Endpoint Agent and the Endpoint server will be larger. Also database usage will increase at a faster rate due to the additions of the original file being saved with incidents. There can be a very significant increase when using Endpoint Discover scanning.

To retain the original file, add a Response Rule to the Endpoint Policy in order to include file attachments.

Available actions:

All: Limit Incident Data Retention  
Network Incidents:
Discard Original Message:   
Discard Attachment:   All |  Attachments with no Violations |  None 

All Endpoint Incidents (Including Endpoint Discover Incidents):
Enabling this option may prevent some events on endpoints from blocking (e.g. Copy to USB). To ensure that endpoint prevent works properly, disable the ENABLE_VEP_FILE_ELIMINATION setting from the Endpoint Settings page of the endpoint servers. 
Retain Original Message: