diff --git a/rules/windows/builtin/win_susp_msiexec_web_install.yml b/rules/windows/builtin/win_susp_msiexec_web_install.yml
index bf756781b..880591fc6 100644
--- a/rules/windows/builtin/win_susp_msiexec_web_install.yml
+++ b/rules/windows/builtin/win_susp_msiexec_web_install.yml
@@ -10,7 +10,7 @@ date: 2018/02/09
 detection:
     selection:
         CommandLine: 
-            - '* msiexec* /q *http*'
+            - '* msiexec*:\/\/*'
     condition: selection
 falsepositives: 
     - False positives depend on scripts and administrative tools used in the monitored environment