diff --git a/rules/windows/image_load/image_load_susp_vss_dll_load.yml b/rules/windows/image_load/image_load_susp_vss_dll_load.yml
index 28abba3f1..c91a4fc90 100644
--- a/rules/windows/image_load/image_load_susp_vss_dll_load.yml
+++ b/rules/windows/image_load/image_load_susp_vss_dll_load.yml
@@ -19,7 +19,10 @@ detection:
             - '\vsstrace.dll'
             - '\vssapi.dll'
     filter_legit:
-        Image|contains: 'c:\windows\'
+        Image|startswith:
+            - 'C:\Windows\'
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\
     condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown