We recently had a server on the network become infected with the Cryptowall virus. Luckily we have a pretty solid backup plan in place and were able to painlessly restore the server to a previous state without any issues. But how can we identify where the virus came from in the first place? We use a Sonic Wall firewall with the security suite that includes intrusion prevention, gateway anti virus, and anti spam. On top of that, all client workstations have AVG installed. I guess its still possible that an infected email got past the firewall but if it did then how do I go about finding that email?