The ONLY way to stop CryptoWall is through user education. I work hard to keep our users informed about current threats, and how to identify things that should not be clicked on.
We have been hit once, and that was not through email. User was on a website, clicked on a picture of an item she was interested in. The site had been hacked, and CW installed silently when she clicked the picture. We had minimal damage, but it was scary.
Since then, I have converted our systems to not use mapped drives to access network resources. Instead we use UNC paths, which CW cannot follow. By default, our user's documents automatically save to the network (again, UNC path), so if a machine gets infected we only have that machine to worry about.
But the only real protection is an educated workforce. If they click it, it's going to run...no AV or AS program is going to stop that.