diff --git a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml
index 0cbea9ab4..42559990b 100644
--- a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml
+++ b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml
@@ -17,8 +17,10 @@ detection:
         Image|endswith: '.exe'
     filter_null:
         Image: null
-    filter_msi:
+    filter_starts:
         Image|startswith: 'C:\Windows\Installer\MSI'
+    filter_pstarts:
+        ParentImage|startswith: 'C:\ProgramData\Avira\'
     filter_avira:
         Image|startswith: 'C:\Windows\Temp\'
         Image|endswith: '\avira_speedup_setup_update.tmp'