Application protection rules specify the processes that Exploit Prevention monitors for buffer overflow and illegal API use violations. Only processes in the Application Protection Rules list with the inclusion status of Include are monitored.
Signature 344 is a Registry engine signature and that signature still provides protection regardless of what is listed/not listed as an App Protection Rule.
If you disable Signature 344, you should not see it trigger at all (regardless of the Application Protection Rules). Verify that Signature 344 is actually set to FALSE for Block and/or Report by checking the C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\bopap.xml file.
<Name>New Startup Program Creation</Name>
If this shows Signature 344 as both FALSE and you're still getting Sig344 violations from this client, yes, please open a Service Request with Support for investigation.