Hello Everyone
I'm a new SC user (the free version for now), and fairly an average user, who must, like everyone else, learn to use and depend on fairly sophisticated security programs, just to use the internet. I use Windows XP SP2, Internet Explorer with firewall enabled, Norton Internet Security 2005 (AV, firewall, pop-up, spam and ad blockers), CWShredder, Ad-AwareSE, Spybot S&D, IE-SpyAd, Hijack This, and a couple of others that I got to clean up a specific "infection".

My co-manager, of a "website" which is technically an MSN Group, found SC and wants to set up some of our pages with counters. But when I browsed to the SC homepage to check it out, I saw that it is in my IE security's Restricted Zone, and the only sites I have there, were placed there by IE-SpyAd. So I've been searching, through the SC Knowledge Base, Fast Search, and forums for info that might explain this.

It may just be that these security issues are developing as we speak, but I haven't found anything cohesive, and clear enough for "average" users. The answers in Fast Search and Knowledge Base don't make sense by themselves (to me with my limited knowledge), and there are just a few threads over the last month, all written by professionals, or those knowledgeable enough to discuss with professionals. So I thought I would post what I've learned, consolidating it for others like me, and ask my questions at the same time, so they can be answered in the same thread, further creating a resource for others like me.

At the end of this message are links to the 3 threads I found with info relevant to my questions. There were another 3 related to security issues, but not relevant to my questions. Oh, and I should say I only looked at messages over the past one month (Jan'05). My first question is, what has caused the creators of IE-SpyAd to include the StatCounter website in their list of restricted sites? It appears as though SC might not even understand what IE-SpyAd is. I could refer you to that website, if it would be helpful, although I believe others have already offered this info.

I have learned through the KB and Fast Search that there is an ad on the SC website which wants to download a file (Avenue A) on visitors' computers. But apparently this is only a problem for visitors to the SC website, and it doesn't affect visitors to counter-users' websites. My guess is that's what qualifies the SC website for Restsricted status in IE-SpyAd, although I am not certain at all. I have both ad and pop-up blockers so haven't personally experienced it. Plus then SC being in my Restricted Zone, I'm safe.

And there are other issues--reported Ad-Aware scans turning up tracking cookies, and possibly some concern about potentially being defined as a malware site by Spybot S&D. So I can't be sure if the latter issues are not part of what IE-SpyAd recognizes as bad. However, if I understand what I have read, these latter are problems associated with the use of the counter itself, and turned up by scans of people who have visited websites of those using either the javascript form of the free counter, or the paid counter.

Since I'm using the html version of the free counter, none of these latter issues are my concern. But it has taken me quite a while to figure out that they are not my concern. And I'm not entirely sure I'm correct that they are not my concern. So my 2nd question, am I correct in the conclusions I have drawn, that the ad with Avenue A file is what IE-SpyAd is worried about, and that the Ad-Aware issue is for visitors to counter-users' websites, and that there isn't an issue with Spybot S&D, only the concern that it may develop? **I would be particularly concerned if visitors to my website are getting some sort of security alerts, as they will think it's my site that poses a security risk, not the counter.**

I hope this message will be helpful for other "average", "Joe Visitor" type of SC user or potential user. Here are the URLs of the messages I found to be related to my questions, although they did not clearly answer them. I would very much appreciate any replies. And thanks for everyone's time and attention to this matter.

All best.

http://forum.statcounter.com/phpBB2/viewtopic.php?t=3128&sid=a26451db255d67ac2cd6f4c5f8ac411b

http://forum.statcounter.com/phpBB2/viewtopic.php?t=3164&sid=a26451db255d67ac2cd6f4c5f8ac411b

http://forum.statcounter.com/phpBB2/viewtopic.php?t=3079&sid=a26451db255d67ac2cd6f4c5f8ac411b

The Avenua A thing from TribalFusion only is a concern for you when you look at your own Statcounter admin pages, this has nothing to do with the counter code as it is implemented on your own web pages.

Security issues can result in Statcounter being placed in the restricted sites simply because of the fact it creates cookies as a a third party application used on your pages (as well as mine and anybody else's you visit who also use Statcounter).

XP & SP2 security features alone are enough of a headache to tweak for smooth surfing. All the other programs you use vastly contribute to increasing this headache. Not just in relation to Statcounter, but almost all sites that use cookies, and that includes secure sites.

??? Ok, I must be missing your meaning.
It sounds like you are saying security is too much of a bother?
Well, if I'm not missing your meaning, and that's your opinion and your choice to ignore these problems, and I can respect that. No problem. But others take security much more seriously. And even if I shared your opinion, I still would still have to worry about a visitor to my website, where a Stat Counter is posted or installed, getting a "Critical Object" when they run their Ad-Aware scan, which might be identifying my website as the source of the critical object.

As I said in the other message, even if you know, and I know, that the "critical object" from SC is not a threat. My website visitor doesn't necessarily know that, and they might want to avoid my site because of it. That would be my biggest concern.

And my other concerns are about SC showing up on IE-SpyAd's Restricted list. Are you saying that the Tribal Fusion/Avenue A deal is definitely the reason for that? Or is it related to the thing which Ad-Aware calls a "critical object"?

If anyone else knows anything about these things, I certainly would appreciate your perspective. Thanks again.

??? Ok, I must be missing your meaning.
It sounds like you are saying security is too much of a bother?
Well, if I'm not missing your meaning, and that's your opinion and your choice to ignore these problems, and I can respect that. No problem. But others take security much more seriously. And even if I shared your opinion, I still would still have to worry about a visitor to my website, where a Stat Counter is posted or installed, getting a "Critical Object" when they run their Ad-Aware scan, which might be identifying my website as the source of the critical object.

As I said in the other message, even if you know, and I know, that the "critical object" from SC is not a threat. My website visitor doesn't necessarily know that, and they might want to avoid my site because of it. That would be my biggest concern.

And my other concerns are about SC showing up on IE-SpyAd's Restricted list. Are you saying that the Tribal Fusion/Avenue A deal is definitely the reason for that? Or is it related to the thing which Ad-Aware calls a "critical object"?

If anyone else knows anything about these things, I certainly would appreciate your perspective. Thanks again.
Don't get me wrong, I'm taking secuirty very seriously. I'm only complaining about the way Miscrosoft has set the defaults.

The fact that the average user (and even the above average user) has a terrible time figuring out why a site - any site - is being blocked and which settings affect that decision, is the source of my displeasure. I know my sites are fine. Yet under XP & SP2 with the defaut factory setting for firewall and all security stuff, I was not able to access my sites. Not only that, but other trusted sites like my bank or paypal. Accessing thsoe requires lowering the security or privacy settings - in a hodge-podge of ways. Basically trial and error. Most unsatisfactory outcome.

If you add Spybot and others, you have that many more places to check for what blocks what. I use Spybot too. But I spent a long time fixing its default settings just so that I can access perfectly normal sites. Instead of blocking a site that has a Tribalfusion paid ad on it - it will block Tribalfusion only and that only if Tribalfusion's ad is something like Avenue A or Doubleclick. That unfortunately is not the default in Spybot. probably your program deal with this in a similar manner.

If you've blocked Tribafusion's "contribution" by using Spybot or IE-SPyad their cookies will not show up in Adaware. They are blocked because of more than just tracking cookies I believe. - ActiveX scripts probably.

Adaware seems to consider all tracking cookies a low-risk critical object. There's nothing wrong with those darn cookies, it's just text. They don't do anything by themselves.

Bad sites and good sites use the same kind of tracking cookies.

I read on the Adaware site that Lavasoft (adaware's creator) maintains a blacklist - not sure if this is being use to determine if a tracking cookie is critical object or not. I have been trying to find out if Statcounter happens to be on the blacklist - but it's not obvious.

Hi chrisooc,
Ok, I'm beginning to understand. It must be very frustrating to not only have to deal with complicated security issues in your personal use of the internet, but to have to understand how these issues affect your internet product. I know configuring all these 6 or 8 security programs of mine drives me absolutely to distraction! But it must be done :-(

"If you've blocked Tribafusion's "contribution" by using Spybot or IE-SPyad their cookies will not show up in Adaware. They are blocked because of more than just tracking cookies I believe. - ActiveX scripts probably."

I'm not sure, but this statement might answer most of my questions. First I think you're indicating that the Tribalfusion ad is why StatCounter is on the IE-SpyAd restricted sites list (which answers my first question). Also, I think you're indicating that the Tribalfusion ad is what Ad-Aware is picking up (which partly answers another question). This is not exactly what I had gathered from the other messages. I thought that the malware picked up by Ad-Aware (as discussed in some of the threads I referenced above) came from visitors opening a webpage with a SC counter on it, ie--that when a visitor to my website opens a page where I have installed a SC counter, they get a cookie or active x which THEIR Ad-Aware picks up.

If both the IE-SpyAd AND Ad-Aware isses are with the Tribalfusion thing, then there's nothing to worry about as far as visitors to my webpages where a StatCounter counter is installed (because the Tribalfusion problem is an ad on the SC website). When I read through the threads which I referenced in my original message (with which I started this thread), it sounded like visitors to my webpages, on which I had placed a SC counter might get security alerts, either the moment the page opens, or the next time they run their Ad-Aware scan. If you can speak to this one last point, then all my questions will be answered--**If I place a SC counter on my webpage, and visitors to that webpage browse to and open the page, do they pick up anything (cookies, active x, anything at all from SC) that is going to be detected by their security programs (Ad-Aware or anything else)?

Thanks again.

If I place a SC counter on my webpage, and visitors to that webpage browse to and open the page, do they pick up anything (cookies, active x, anything at all from SC) that is going to be detected by their security programs (Ad-Aware or anything else)?

Yes. StatCounter tries to place or (if it's already there) to read a cookie on the machine of the user of your web site. This cookie is used to determine if a user should be counted as a "return visitor" in SC stats. As far as I can tell, that is all that it does. Since the cookie is written from statcounter.com, it is considered a third-party cookie which means that many browsers will automatically reject it.

Ad-Aware may also object to the whole project of keeping the sort of stats that we like so much from StatCounter. Because the statistics are kept in a centralized database, it would be possible for someone with less benevolent intentions to massage this kind of information into a form that Ad-Aware finds objectionable.

Hi chrisooc,
Ok, I'm beginning to understand. It must be very frustrating to not only have to deal with complicated security issues in your personal use of the internet, but to have to understand how these issues affect your internet product. I know configuring all these 6 or 8 security programs of mine drives me absolutely to distraction! But it must be done :-(

"If you've blocked Tribafusion's "contribution" by using Spybot or IE-SPyad their cookies will not show up in Adaware. They are blocked because of more than just tracking cookies I believe. - ActiveX scripts probably."

I'm not sure, but this statement might answer most of my questions. First I think you're indicating that the Tribalfusion ad is why StatCounter is on the IE-SpyAd restricted sites list (which answers my first question). Also, I think you're indicating that the Tribalfusion ad is what Ad-Aware is picking up (which partly answers another question). This is not exactly what I had gathered from the other messages. I thought that the malware picked up by Ad-Aware (as discussed in some of the threads I referenced above) came from visitors opening a webpage with a SC counter on it, ie--that when a visitor to my website opens a page where I have installed a SC counter, they get a cookie or active x which THEIR Ad-Aware picks up.

If both the IE-SpyAd AND Ad-Aware isses are with the Tribalfusion thing, then there's nothing to worry about as far as visitors to my webpages where a StatCounter counter is installed (because the Tribalfusion problem is an ad on the SC website). When I read through the threads which I referenced in my original message (with which I started this thread), it sounded like visitors to my webpages, on which I had placed a SC counter might get security alerts, either the moment the page opens, or the next time they run their Ad-Aware scan. If you can speak to this one last point, then all my questions will be answered--**If I place a SC counter on my webpage, and visitors to that webpage browse to and open the page, do they pick up anything (cookies, active x, anything at all from SC) that is going to be detected by their security programs (Ad-Aware or anything else)?

Thanks again.
No, the Tribafusion thing is not picked by Ad-aware as anything to do with Statcounter. It's not even actually Tribalfusion, but rather some of the ads they present, which vary: Avenue A, Double Click, etc. It is picked up by Spybot which may block loading the admin pages at statcounter, as this is whre it appears if at all. It depends on how Spybot is configured. Mine asks whether to block or not. This definitely does not impact on your web site pages that contain Statcounter code, as Tribafusion is not involved there at all. The Statcounter code simply generates a cookie on your website's behalf and stores it on the visitor's computer. If the visitor's browser is set to block sites that create cookies, maybe as third party cookies, then they will either not see the page at all or get a warning, depending on how tight the security setting is.