======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
- Linux/BSD distribution name and version: Ubuntu 14.04.4 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? no
- Related log if you're reporting an issue:
====

On our iRedMail server the Sanesecurity badmacro.ndb database doesn't seem to be used when amavis/clamav is scanning inbound mail. Today we've received over 200 mails with infected word documents, all of them passed through amavis without being blocked and no notification was sent to the $virus_admin.
The badmacro.ndb file is located under /var/lib/clamav with all the other clam databases, the filedate is 2016-08-17.

Local testing with some of the infected documents shows that the badmacro database is working fine and recognizes the malware, when running clamscan against a local (filesystem) sample the return is:
PaymentReceipt.docm: Sanesecurity.Badmacro.Doc.df.UNOFFICIAL FOUND

Other databases (eg. phish.ndb) from Sanesecurity work fine with amavis, from yesterday there are some 100 odd entries like these in the mail.log:
INFECTED: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL
and for each incomming mail a notification was sent to the $virus_admin defined in the amavis config file

Any ideas why the badmacro database seems to be ignored when mail passes through amavis ?
Thanks for your help in advance