Ok..... I have played around with it a little..... There's a lot of stuff in it to play with.....

For your basic user - or the guy who is on it for the first time there appears to be a method to detect a user.

As they say in their docs they use UDP almost exclusively and packet dumps and firewall logs evidence that - there is a flurry of UDP activity at startup as it tries to contact the "sun" and the other "planets" in the galaxy. The trap is in the fact that these "planets" attempt a TCP SYN on the base filesharing port 37920, (which is blocked at the firewall).

A first time or normal user will fire it up and it will go out looking for a "sun" and "planets" via UDP which, in turn, will check for file sharing thus snort rules written to detect incoming TCP requests on port 37920 or searching the firewall logs for this port incoming should give the sysadmin a warning that someone has the software.

After an advanced user has fired up the software for the first time and gone straight to advanced settings then all bets are off. They can activate secure comms on port 39593 which will probably elicit the same inbound connections to check for file sharing by the other "planets" but everything is configurable.

A properly set up firewall should prevent users from sharing their own files but it is going to be a devil of a job stopping them from d/ling them if they are a bit savvy.

NOTE: This was a quick and dirty look at how it works and is in no way to be considered foolproof...... It's what I saw mine do......

[edit]
Forget everything after "good morning"..... I just installed it on a second machine..... It selects it's ports randomly.... The only common factor is the flurry of UPD activity when you start it up....<sigh>
[/edit]