First of all, you need admin rights on the machine. They are?
If there is, then ProcessHacker to the rescue.

Good day!
I would like to share my observations - maybe it will be useful to someone.
All of the following will apply to the Falcongaze SecureTower.
Despite the fact that the client tries to hide his presence by any means, everything secret sooner or later becomes clear.
1. Certificate substitution.
We tear off in the browser any resource that uses https and look at the certificate data. With the DLP client installed, the " Certification Path " section will contain a certificate signed by Falcongaze SecureTower.
During installation, the SecureTower client adds its certificate to the trusted root certificate store (Trusted Root Certification Authorities ).
In general, with any suspicions, this repository can be periodically viewed - suddenly you find something interesting.
2. Location of files.
If you search for files and directories of the client installation visually, or using the search mechanism in Explorer (any other file manager) - most likely nothing will be found.
But there is a way out, everything turns out to be much simpler - we take the paths:

C:\Program Files\Falcongaze SecureTower
C:\Program Files (x86)\Falcongaze SecureTower #для x64
C:\Users\%username%\AppData\Local\Falcongaze SecureTower

and in turn paste it into the address bar of the explorer - press Enter .
If the client is present - in the open window you will see his files and traces of vital activity.
This method has been tested on OS Windows 7 and above.
3. Register.
When installing the Secure Tower client, the following registry key will be created:
Within this key, if it exists, there will be several subkeys. Some additional information can be gleaned from them : installation path , current version , server address and connection port .
4. Network.
Default, to communicate with the server, Secure Tower uses port 10500 .
5. Processes.
As with directories and files, the client is great at masking its processes (if it wants to) in the Windows Task Manager.
Here is a list of the most likely processes:

FgstEpaCss.exe
FgstEpaCssHlp.exe
FgStEPAgentSvcHost.exe

In order to "squeeze" them, you need to run the good old Process Monitor and open the Process Tree - no one has left it yet.
6. Skype
As you know, many DLP-systems are able to intercept Skype messages (some, especially advanced ones, even record conversations). You probably want to ask: How do they do it? After all, the Skype protocol is securely encrypted, and no one (practically) managed to get close to decrypting it.
In fact, the decryption of data transmitted via closed protocols does not even come at all. The Secure Tower client pulls data directly from Skype itself.
Method number one: it (the client) registers one of its modules as a trusted Skype application. The latter retrieves data using a documented and open API.
You can check Skype for intruders by selecting the menu item Tools -> Settings... -> Advanced -> Advanced settings -> Control access of other programs to Skype (tested for Skype 6.20.0.104). The API Access Control
window will list all applications that have access to your Skype data. Perhaps, by opening this window, you will find a lot of new and interesting things!
Currently, this method is practically not used, because. everyone (to the edge became insolent) switched to method number two.
Method number two : Skype stores the history of the SQLite database correspondence in the best traditions of the genre - in clear text.
DB file location path:
It is this file that periodically pulls the DLP client.
Run Process Monitor and create a new filter:

----------------------------------------
| Column | Relation | Value   | Action |
----------------------------------------
 Path      contains   main.db   Include

Click OK and wait until it works. In a perfectly clean system, except for Skype itself, no one should access this file. If "living creatures" are started in the system, it will not take long to wait.
It is always worth considering the fact that developers do not sit idly by, DLP systems are constantly being improved (more complicated, more new bugs are generated) and the methods described above may not work for new versions.
In addition, a lot depends on the security policies according to which the client is configured. Separate modules (interception of Skype messages, control of https traffic, etc.) can be disabled and, accordingly, each individual item cannot give a 100% result.
To detect this kind of software, you should always use an integrated approach that includes checking on all points. In addition, using some of these methods, it is possible to track not only Secure Tower, but also its "competitors".
PS In conclusion, I appeal to everyone who is interested in this issue: if you know other methods (methods, actions, etc.) for detecting DLP clients, write here (I think that the author of the question will not mind). Any information will always be useful!

You can see which ports on the working machine are in the listen status, you can look at established connections by comparing them with the list of tasks, you can search for recently installed software, etc. Options - a lot.
The main thing is why?
If UB put it, then they are looking for something. If they see extra activity ... then this usually ends with the fact that they are given a bonus for their vigilance.

Why - personal interest.
thanks for the advice, everything turned out to be simpler:
the client created a folder with his name in C \ Program Files \ and you can also use the browser, DLP replaces certificates with its own with the same name.
Thanks to all!