From the Results Analysis lesson, the Study Guide confirms:

" The Basic information section shows that, in this case, the file type is WEBLink and the file was submitted by FortiMail. "

From the Scanning and Rating Components lesson:

" The only exception to this is URL inputs. These inputs are submitted directly to the VM scan engine for sandboxing. "

When URLs are submitted to FortiSandbox (from FortiMail or other sources), they are classified as WEBLink file type — which is distinct from the standard .url file extension shown in the VM Association Web types (htm, js, lnk, url).

Looking at the exhibits:

The VM Association shows Web: htm, js, lnk, url — but WEBLink is NOT listed

The Advanced tab shows Real-time Zero-Day Anti-Phishing Service is enabled (green)

Despite RTAP being enabled, URLs cannot reach the VM scan stage without WEBLink being explicitly included in the scan profile ' s VM Association

Since RTAP operates during VM scanning, if WEBLink is not assigned to a VM in the scan profile, URLs submitted for inspection will never reach the VM, and therefore will never be evaluated by the RTAP service — regardless of RTAP being enabled.