1. Even a single computer in whole network is not fully patched up with Microsoft Patches, or doesn't have latest definitions protection. It is potential risk to your environment for infection of W32.Downadup. So Make sure all computers are compliance with both of these.
2. Make sure users have complex passwords. As when any computer gets infected with downadup. It tries to hack user accounts from Activer directory. You might have seen user accounts getting locked up when there is infection of downadup. This is due to default policy of locking up account after 3 failed attempts in AD.
3. All admin (C$) share should be disabled. all shares should be password protected.
4. Autorun MUST be disabled. As it has been seen that this is generally main reason. Note that Autorun.inf is not infected file (its only a text file). However, the entries inside it would get executed if autorun is enabled. In other words, when autorun is enabled, threats can easily execute themselves with autorun from different media, computer shares, etc.
5. Intrusion prevention technology with Symantec Endpoint protection could be crucial against downadup. As only Antivirus & antispyware can't fully protect against downadup due to network attacks. Enable risk tracer after intalling intrusion prevention feature for SEP to trace the attacker machine.
and Last but not the least. Never assume that because you have definitions, so you can't get infected with viruses. Attackers are constantly trying to create new variants of threats so nobody is 100% protected and I guarantee that no security providers can give 100% guarantee that you computer will never be infected. If they do, they are liers.
Just be sure that you are fully up-to-date with all patches, definitions. Taking necessary measures for environment protection. and Most important, as soon as any possible infection. Immediately contact Support for further help if the threat is not getting detected.